Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Ad-Aware Post for gmad[CLOSED]


  • This topic is locked This topic is locked

#1
gmad

gmad

    Member

  • Member
  • PipPip
  • 17 posts
:tazz: Please advise as to what I should do beforer posting a Hijack log to the other forum. Thanks a million for all your help!! You guys ROCK!

Logfile removed: Old Definition file posted

Edited by Andy_veal, 18 May 2005 - 10:22 AM.

  • 0

Advertisements


#2
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
BTW-For some reason I am totally unable to update the definitions for adaware via the internet. I just used whatever came with the initial download.
gmad
  • 0

#3
Untouchable J

Untouchable J

    Member

  • Member
  • PipPip
  • 10 posts
What happens when you use Webupdate?? Manually download the current reference file from below:

SE1R46 17.05.2005(*Note* R45 is still there but the site should be updated with the latest file soon)

Unzip the archive, replace the existing file and restart Ad-Aware to install the reference file correctly.

Once installed follow the instructions here: Before posting an Ad-Aware logfile

...and post your updated, full system scan logfile for review.

HTH

-J

Edited by Untouchable J, 18 May 2005 - 04:20 AM.

  • 0

#4
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I get "Error retrieving update."

I unzipped the file but don't know what to do with it. ????
Do you do it manually thru Explorer or is there some way thru AdAware?
  • 0

#5
Untouchable J

Untouchable J

    Member

  • Member
  • PipPip
  • 10 posts
Morning gmad,

Replace the existing defs.ref file by unzipping the file to the location where you've installed Ad-aware (C:\Program Files\Lavasoft\Adaware SE is the default location).

For the "Error retrieving update" message:

-Make sure your firewall is allowing internet access for Ad-aware.
-Open Webupdate in Ad-aware, click the configure button, and make sure "Use HTTP Proxy" is marked with a red x.

HTH

-J
  • 0

#6
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello HTH, and thanks. After much time I managed to get your update to take and scanned with the following results. All were removed. Please advise. I would like to post my hijack log to the other board when I get your approval.
Thanks again. :tazz:


Ad-Aware SE Build 1.05
Logfile Created on:Thursday, May 19, 2005 9:45:43 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):2 total references
CoolWebSearch(TAC index:10):24 total references
MRU List(TAC index:0):31 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Tracking Cookie(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints total : 883
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:14 %
Total physical memory:261616 kb
Available physical memory:36420 kb
Total page file size:632428 kb
Available on page file:357980 kb
Total virtual memory:2097024 kb
Available virtual memory:2044224 kb
OS:Microsoft Windows 2000 Professional Service Pack 4 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-19-2005 9:45:43 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 144
ThreadCreationTime : 5-20-2005 4:01:11 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 168
ThreadCreationTime : 5-20-2005 4:01:21 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 188
ThreadCreationTime : 5-20-2005 4:01:24 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 216
ThreadCreationTime : 5-20-2005 4:01:25 AM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 228
ThreadCreationTime : 5-20-2005 4:01:25 AM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [ccproxy.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 400
ThreadCreationTime : 5-20-2005 4:01:28 AM
BasePriority : Normal
FileVersion : 103.0.2.10
ProductVersion : 103.0.2.10
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:7 [issvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ProcessID : 412
ThreadCreationTime : 5-20-2005 4:01:29 AM
BasePriority : Normal
FileVersion : 8.0.0.64
ProductVersion : 8.0
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : IS Service
InternalName : ISSVC.exe
LegalCopyright : Copyright © 2004 Symantec Corporation
OriginalFilename : ISSVC.exe

#:8 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 424
ThreadCreationTime : 5-20-2005 4:01:29 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:9 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 452
ThreadCreationTime : 5-20-2005 4:01:29 AM
BasePriority : Normal
FileVersion : 103.0.2.10
ProductVersion : 103.0.2.10
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:10 [spbbcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\SPBBC\
ProcessID : 464
ThreadCreationTime : 5-20-2005 4:01:29 AM
BasePriority : Normal
FileVersion : 1,0,1,47
ProductVersion : 1,0,1,47
ProductName : SPBBC
CompanyName : Symantec Corporation
FileDescription : SPBBC Service
InternalName : SPBBCSvc
LegalCopyright : Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : SPBBCSvc.exe

#:11 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 512
ThreadCreationTime : 5-20-2005 4:01:31 AM
BasePriority : Normal
FileVersion : 103.0.2.10
ProductVersion : 103.0.2.10
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:12 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 728
ThreadCreationTime : 5-20-2005 4:01:34 AM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 760
ThreadCreationTime : 5-20-2005 4:01:34 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:14 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 772
ThreadCreationTime : 5-20-2005 4:01:35 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:15 [navapsvc.exe]
FilePath : C:\Program Files\Norton Internet Security\Norton AntiVirus\
ProcessID : 816
ThreadCreationTime : 5-20-2005 4:01:35 AM
BasePriority : Normal
FileVersion : 11.0.2.4
ProductVersion : 11.0.2
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2005 for Windows 98/ME/2000/XP Copyright © 2004 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:16 [nvsvc32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 860
ThreadCreationTime : 5-20-2005 4:01:35 AM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:17 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 936
ThreadCreationTime : 5-20-2005 4:01:40 AM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:18 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 960
ThreadCreationTime : 5-20-2005 4:01:41 AM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:19 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ProcessID : 984
ThreadCreationTime : 5-20-2005 4:01:42 AM
BasePriority : Normal
FileVersion : 1, 8, 54, 478
ProductVersion : 1, 8, 54, 478
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:20 [vsmon.exe]
FilePath : C:\WINNT\system32\ZoneLabs\
ProcessID : 1080
ThreadCreationTime : 5-20-2005 4:01:42 AM
BasePriority : Normal
FileVersion : 3.7.179
ProductVersion : 3.7.179
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:21 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1116
ThreadCreationTime : 5-20-2005 4:01:49 AM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:22 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1128
ThreadCreationTime : 5-20-2005 4:01:50 AM
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:23 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1140
ThreadCreationTime : 5-20-2005 4:01:50 AM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:24 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 476
ThreadCreationTime : 5-20-2005 4:09:10 AM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:25 [mixer.exe]
FilePath : C:\WINNT\
ProcessID : 1440
ThreadCreationTime : 5-20-2005 4:09:14 AM
BasePriority : Normal
FileVersion : 1.58
ProductVersion : 1.58
ProductName : Mixer
CompanyName : C-Media Electronic Inc. (www.cmedia.com.tw)
FileDescription : Mixer
InternalName : Mixer
LegalCopyright : Copyright © 1997-2002
LegalTrademarks : NONE
OriginalFilename : Mixer.EXE
Comments : Feng Min-Chih (min_chih@cmedia.com.tw)

#:26 [hpztsb04.exe]
FilePath : C:\WINNT\system32\spool\drivers\w32x86\3\
ProcessID : 1468
ThreadCreationTime : 5-20-2005 4:09:15 AM
BasePriority : Normal
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2001

#:27 [type32.exe]
FilePath : C:\Program Files\Microsoft IntelliType Pro\
ProcessID : 1472
ThreadCreationTime : 5-20-2005 4:09:15 AM
BasePriority : Normal


#:28 [point32.exe]
FilePath : C:\Program Files\Microsoft IntelliPoint\
ProcessID : 852
ThreadCreationTime : 5-20-2005 4:09:16 AM
BasePriority : Normal


#:29 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1496
ThreadCreationTime : 5-20-2005 4:09:18 AM
BasePriority : Idle
FileVersion : 1.00.0501
ProductVersion : 1.00.0501
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:30 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1456
ThreadCreationTime : 5-20-2005 4:09:20 AM
BasePriority : Normal
FileVersion : 103.0.2.10
ProductVersion : 103.0.2.10
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:31 [winpatrol.exe]
FilePath : C:\PROGRA~1\BILLPS~1\WINPAT~1\
ProcessID : 1644
ThreadCreationTime : 5-20-2005 4:09:26 AM
BasePriority : Normal
FileVersion : 9, 1, 0, 0
ProductVersion : 9.1.0.0
ProductName : WinPatrol Monitor
CompanyName : BillP Studios
FileDescription : WinPatrol System Monitor
InternalName : WinPatrol Monitor
LegalCopyright : Copyright © 1997- 2005 BillP Studios
OriginalFilename : Scotty
Comments : Let Scotty the Windows Watchdog patrol your system.

#:32 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ProcessID : 1672
ThreadCreationTime : 5-20-2005 4:09:26 AM
BasePriority : Normal
FileVersion : 1.00.0501
ProductVersion : 1.00.0501
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:33 [psfree.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~1\
ProcessID : 1692
ThreadCreationTime : 5-20-2005 4:09:31 AM
BasePriority : Normal
FileVersion : 3, 1, 0, 1012
ProductVersion : 1, 0, 0, 1
ProductName : Pop-Up Stopper Free Edition
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
LegalCopyright : Copyright © 2002-2003
OriginalFilename : PSFree.exe

#:34 [dllhostxp.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1732
ThreadCreationTime : 5-20-2005 4:09:33 AM
BasePriority : Normal


#:35 [sndsrvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1268
ThreadCreationTime : 5-20-2005 4:10:14 AM
BasePriority : Normal
FileVersion : 5.4.2.17
ProductVersion : 5.4
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:36 [wuauclt.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2204
ThreadCreationTime : 5-20-2005 4:10:21 AM
BasePriority : Normal
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:37 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1920
ThreadCreationTime : 5-20-2005 4:11:16 AM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

CoolWebSearch Object Recognized!
Type : Process
Data : winsrv32.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\winsrv32.dll)


#:38 [nsmdtr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\AdBlocking\
ProcessID : 1944
ThreadCreationTime : 5-20-2005 4:11:17 AM
BasePriority : Normal
FileVersion : 8.0.0.64
ProductVersion : 8.0
ProductName : Norton Internet Security
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Mediator
LegalCopyright : Copyright © 2004 Symantec Corporation

#:39 [msupgr32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2340
ThreadCreationTime : 5-20-2005 4:11:25 AM
BasePriority : Normal


#:40 [rdshost32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2364
ThreadCreationTime : 5-20-2005 4:11:26 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : rdshost32.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\rdshost32.exe)

Warning! "C:\WINNT\system32\rdshost32.exe"Process could not be terminated!
"C:\WINNT\system32\rdshost32.exe"Process terminated successfully

#:41 [pxhping.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2392
ThreadCreationTime : 5-20-2005 4:11:26 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : pxhping.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\pxhping.exe)

Warning! "C:\WINNT\system32\pxhping.exe"Process could not be terminated!
"C:\WINNT\system32\pxhping.exe"Process terminated successfully

#:42 [mqbckup.exe]
FilePath : C:\WINNT\system32\
ProcessID : 2408
ThreadCreationTime : 5-20-2005 4:11:26 AM
BasePriority : Normal


CoolWebSearch Object Recognized!
Type : Process
Data : mqbckup.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\mqbckup.exe)

Warning! "C:\WINNT\system32\mqbckup.exe"Process could not be terminated!
"C:\WINNT\system32\mqbckup.exe"Process terminated successfully

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2320
ThreadCreationTime : 5-20-2005 4:45:26 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 4


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "{06ABAA2D-34AB-4902-A326-409BD9B9A7A5}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\internet explorer\toolbar\webbrowser
Value : {06ABAA2D-34AB-4902-A326-409BD9B9A7A5}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_USERS
Object : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\internet explorer\main
Value : HOMEOldSP

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : HOMEOldSP

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 9


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : 63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7
Value : http

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 11

MRU List Object Recognized!
Location: : C:\Documents and Settings\Greg Madrigal\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Greg Madrigal\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\clipart gallery\2.0\mrudescription
Description : most recently used description in microsoft clipart gallery


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\office\9.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1580436667-839522115-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg madrigal@serving-sys[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:greg madrigal@serving-sys.com/
Expires : 12-31-2037 10:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 43



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ads.x10[1].txt
Category : Data Miner
Comment :
Value : C:\backup\Documents and Settings\Greg\Cookies\greg@ads.x10[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@real[1].txt
Category : Data Miner
Comment :
Value : C:\backup\Documents and Settings\Greg\Cookies\greg@real[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 45


Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@ads.x10[1].txt
Category : Data Miner
Comment :
Value : F:\Documents and Settings\Greg\Cookies\greg@ads.x10[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : greg@real[1].txt
Category : Data Miner
Comment :
Value : F:\Documents and Settings\Greg\Cookies\greg@real[1].txt

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
2 entries scanned.
New critical objects:0
Objects found so far: 47




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\run
Value : host

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search\searchproperties\en-us
Value : Panel@Web

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : conc

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : Default_Search_URL
Data : about:blank

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

CoolWebSearch Object Recognized!
Type : File
Data : wplog.txt
Category : Malware
Comment :
Object : C:\WINNT\



CoolWebSearch Object Recognized!
Type : File
Data : balloon.wav
Category : Malware
Comment :
Object : C:\WINNT\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 17
Objects found so far: 64

9:59:58 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:14.939
Objects scanned:171228
Objects identified:32
Objects ignored:0
New critical objects:32
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi

Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. run a full scan save the log.

Post the ewido log and a new HJT.Log

Kc :tazz:
  • 0

#8
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thatman, one of my issues is taht I cannot directly update software like Ewido. Says something to the effect that "couldn't download, etc."
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Please post a HJT.log

Thanks

Kc :tazz:
  • 0

#10
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Moving this topic to the HJT forums :tazz:

Thanks for your help thatman
  • 0

Advertisements


#11
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello again Thatman! Here is my Hijacl log.... Thanks once again for all your help...It is REALLY appreciated!!!! I'm sure you'll find some evil stuff here...read on..


Logfile of HijackThis v1.99.1
Scan saved at 3:40:29 PM, on 5/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\dllhostxp.exe
C:\WINNT\system32\clfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\dllhostxp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\msupgr32.exe
C:\WINNT\system32\rdshost32.exe
C:\WINNT\system32\pxhping.exe
C:\WINNT\system32\mqbckup.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B541F44-AFCD-458B-922B-F2C2F52B3BB2} - C:\WINNT\system32\rcpie.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1FDD6F-EEAD-420A-9E3C-E8CD3B379B6F}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E76F92-72E8-4D3B-99AA-4AE946E25CE1}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F78818-E1B4-4DD7-B906-4C5EC873A8BC}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O18 - Filter: text/html - {CCE047F7-44E5-4080-9183-F7D0608AEDB6} - C:\WINNT\system32\rcpie.dll
O18 - Filter: text/plain - {CCE047F7-44E5-4080-9183-F7D0608AEDB6} - C:\WINNT\system32\rcpie.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

Download this zipped file FindRK-files.zip to your desktop.
Unzip the files to your desktop
Restart the PC into safe mode
It must be ran in safe mode for it to work correctly.
Open the folder and run the RKFILES.BAT, sit back and wait untill its finished.
Restart back to a normal windows session and post the text located here C:\Log.txt please and a new hijackthis log.

Kc :tazz:
  • 0

#13
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Alrigty Thatman....Her goes. Let's get the bad guys! :tazz:

First, the log.txt-
Files Found in system Folder............
------------------------
C:\WINNT\system32\iecust.exe: UPX!
C:\WINNT\system32\msupgr32.exe: UPX!
C:\WINNT\system32\rcpie.dll: UPX!
C:\WINNT\system32\rdshost32.exe: UPX!
C:\WINNT\system32\sp2chek.exe: UPX!
C:\WINNT\system32\mqbckup.exe: FSG!
C:\WINNT\system32\pxhping.exe: FSG!
C:\WINNT\system32\subsys.exe: FSG!
C:\WINNT\system32\d3dxov.dll: PEC2
C:\WINNT\system32\dllhostxp.exe: PEC2
C:\WINNT\system32\dnsping.exe: PEC2
C:\WINNT\system32\msacmx.dll: PEC2
C:\WINNT\system32\msupgr.exe: PEC2
C:\WINNT\system32\winsrv32.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished



Then, My new Hijack log-


Logfile of HijackThis v1.99.1
Scan saved at 10:07:11 PM, on 5/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\dllhostxp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msupgr32.exe
C:\WINNT\system32\rdshost32.exe
C:\WINNT\system32\pxhping.exe
C:\WINNT\system32\mqbckup.exe
C:\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\rcpie.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B541F44-AFCD-458B-922B-F2C2F52B3BB2} - C:\WINNT\system32\rcpie.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E1FDD6F-EEAD-420A-9E3C-E8CD3B379B6F}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{66E76F92-72E8-4D3B-99AA-4AE946E25CE1}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{D2F78818-E1B4-4DD7-B906-4C5EC873A8BC}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.166.94,69.31.80.244
O18 - Filter: text/html - {CCE047F7-44E5-4080-9183-F7D0608AEDB6} - C:\WINNT\system32\rcpie.dll
O18 - Filter: text/plain - {CCE047F7-44E5-4080-9183-F7D0608AEDB6} - C:\WINNT\system32\rcpie.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi gmad

You have a jem of an infection are real B_____D

Download http://forums.skads....hp?showtopic=33

Instructions

Download the attachment and unzip the contents to a permanent folder[/b]

Reboot into safe mode and unhide all files and folders

Doubleclick on remv3.bat to run it. Wait untill the dos window closes.

Post the contents of c:\log.txt after rebooting into normal mode.

Kc :tazz:
  • 0

#15
gmad

gmad

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thatman, I don't see a download per say. All I see is in thread#2 the following: "Download this file rem.zip
http://forums.skads....type=post&id=23
unzip it to the system 32 folder, reboot into safe mode
Run rem.bat, reboot back to normal, post the log.txt which will be at this location c:\log.txt
And a new Hijackthis log "
I believe these are the right instructions, but where is this download?

Could you please be more specific as to thread #'s? Thanks a bunch!
Gman
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP