Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]My Ad Aware log file[RESOLVED]


  • This topic is locked This topic is locked

#1
dprocket

dprocket

    New Member

  • Member
  • Pip
  • 8 posts
My parents computer is infected pretty badly with somting. I have removed a few trojans already, but it's still wackly. I will run Hijack this, but per the instructions given, I am first running my ad aware log file here. FYI -I believe the problems started when my teenage brother visited an inappropriate website, so I suspect something was downloaded and deployed ont he computer. It is a win98 based Celeron powered HP Pavillion.

Ad-Aware SE Build 1.05
Logfile Created on:Monday, May 16, 2005 10:46:06 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:8):7 total references
Alexa(TAC index:5):8 total references
BlazeFind(TAC index:5):1 total references
ClearSearch(TAC index:7):5 total references
CoolWebSearch(TAC index:10):10 total references
Lycos Sidesearch(TAC index:7):5 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
SecondThought(TAC index:4):3 total references
SpywareNuker(TAC index:5):1 total references
TopMoxie(TAC index:3):4 total references
VX2(TAC index:10):6 total references
Win32.Revop.Trojan(TAC index:6):2 total references
WinAD(TAC index:7):1 total references
WinFavorites(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-16-05 10:46:06 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293914787
Threads : 6
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294951967
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292883343
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292880035
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:5 [VSHWIN32.EXE]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\
ProcessID : 4292905711
Threads : 7
Priority : Normal
FileVersion : 4.0.3
ProductVersion : 4.0.3
ProductName : VShield
CompanyName : Network Associates Inc.
FileDescription : VShield
InternalName : VShield
LegalCopyright : Copyright © 1999 Network Associates Inc.
LegalTrademarks : VirusScan® is a registered trademark of Network Associates Inc. McAfee™ is a trademark of Network Associates Inc.
OriginalFilename : VSHWIN95.EXE

#:6 [HIDSERV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292948307
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1998, 1999
OriginalFilename : HIDSERV.EXE

#:7 [VSSTAT.EXE]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\
ProcessID : 4292898871
Threads : 3
Priority : Normal
FileVersion : 4.0.3
ProductVersion : 4.0.3
ProductName : McAfee VirusScan
CompanyName : Network Associates Inc
FileDescription : VShield Statistics
InternalName : VsStat.exe
LegalCopyright : Copyright © 1999 Network Associates Inc.
LegalTrademarks : VirusScan® is a registered trademark of Network Associates Inc. McAfee™ is a trademark of Network Associates Inc.
OriginalFilename : VSStat.exe

#:8 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4292943227
Threads : 17
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:9 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4292978523
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:10 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292972215
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE

#:11 [MMKEYBD.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\
ProcessID : 4292988943
Threads : 5
Priority : Normal
FileVersion : 3.2.0
ProductVersion : 3.2.0
ProductName : One-touch Multimedia Keyboard
CompanyName : Netropa Corp.
FileDescription : One-touch Multimedia Keyboard
InternalName : MMKEYBD
LegalCopyright : Copyright © 1995-2000 Netropa Corp.
All Rights Reserved.
OriginalFilename : MMKEYBD.EXE

#:12 [REALPLAY.EXE]
FilePath : C:\PROGRAM FILES\REAL\REALPLAYER\
ProcessID : 4293029291
Threads : 2
Priority : Normal
FileVersion : 6.0.12.1040
ProductVersion : 6.0.12.1040
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:13 [CONNECTIONMANAGER.EXE]
FilePath : C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\
ProcessID : 4293010331
Threads : 5
Priority : Normal
FileVersion : 2.0.1.3072
ProductVersion : 2.0.1.3072
ProductName : SBC Yahoo! Dial
CompanyName : SBC Yahoo!
FileDescription : SBC Yahoo! Connection Manager
InternalName : CONNECTIONMANAGER
LegalCopyright : Copyright © 2002 SBC Yahoo!
LegalTrademarks : Copyright © 2002 SBC Yahoo!
OriginalFilename : CONNECTIONMANAGER.EXE

#:14 [IPMON32.EXE]
FilePath : C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\
ProcessID : 4293040495
Threads : 5
Priority : Normal
FileVersion : 5.5.33.226
ProductVersion : 5.5.33.226
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Monitor
InternalName : IPMON32
LegalCopyright : Copyright © 1996-2001 Visual Networks Technologies, Inc.
OriginalFilename : ipmon32.exe

#:15 [GCLIB.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292955955
Threads : 2
Priority : Normal


#:16 [THGUARD.EXE]
FilePath : C:\PROGRAM FILES\TROJANHUNTER 4.2\
ProcessID : 4292985003
Threads : 3
Priority : Normal
FileVersion : 3.8.0.275
ProductVersion : 1.0.0.0
ProductName : TrojanHunter Guard
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Guard
LegalCopyright : Mischel Internet Security
LegalTrademarks : TrojanHunter is a trademark of Mischel Internet Security.
OriginalFilename : THGuard.exe

#:17 [AVGCC.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4293111979
Threads : 6
Priority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:18 [AVGEMC.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4293141347
Threads : 7
Priority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:19 [AVGAMSVR.EXE]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG FREE\
ProcessID : 4293126399
Threads : 5
Priority : Normal
FileVersion : 7,1,0,307
ProductVersion : 7.1.0.307
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:20 [RunDLL.exe]
FilePath : C:\WINDOWS\
ProcessID : 4293122847
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:21 [WP.EXE]
FilePath : C:\
ProcessID : 4293090119
Threads : 2
Priority : Normal


#:22 [KEYBDMGR.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\
ProcessID : 4293096695
Threads : 2
Priority : Normal
FileVersion : 3.0.0
ProductVersion : 3.0.0
ProductName : Keyboard Manager
CompanyName : Netropa Corp.
FileDescription : Keyboard Manager
InternalName : Keyboard Manager
LegalCopyright : Copyright © 1999, Netropa Corp.
OriginalFilename : KeybdMgr.exe

#:23 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293187567
Threads : 4
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:24 [OSD.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\
ProcessID : 4293210395
Threads : 2
Priority : Normal
FileVersion : 3.1.7
ProductVersion : 3.1.7
ProductName : OSD
CompanyName : Netropa Corp.
FileDescription : Onscreen Display
InternalName : OSD
LegalCopyright : Copyright © 1997-2000 Netropa Corp.
All Rights Reserved.
OriginalFilename : OSD.EXE

#:25 [MMUSBKB2.EXE]
FilePath : C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\
ProcessID : 4293069415
Threads : 2
Priority : Normal
FileVersion : 1.1
ProductVersion : 1.1
ProductName : USB Multimedia Keyboard Driver 2
CompanyName : Netropa Corporation
FileDescription : USB Multimedia Keyboard Driver 2
InternalName : mmusbkb2
LegalCopyright : Copyright © 1998-1999 Netropa Corporation
OriginalFilename : mmusbkb2.exe

#:26 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293288291
Threads : 3
Priority : Normal
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : Protected storage server

#:27 [RNAAPP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293276515
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:28 [TAPISRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293315647
Threads : 7
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:29 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4293377311
Threads : 3
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Alexa Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuText

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\main
Value : HOMEOldSP

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : HOMEOldSP

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 10


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFavorites Object Recognized!
Type : File
Data : jao.dll.tcf
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : jao Module
FileDescription : jao Module
InternalName : jao
LegalCopyright : Copyright 2004
OriginalFilename : jao.DLL


Win32.Revop.Trojan Object Recognized!
Type : File
Data : PVVOXD.exe.tcf
Category : Malware
Comment :
Object : c:\WINDOWS\SYSTEM\
FileVersion : 5.00.0002
ProductVersion : 5.00.0002
ProductName : mplayer
CompanyName : thunderdome
InternalName : actulice
OriginalFilename : actulice.exe


WinAD Object Recognized!
Type : File
Data : ide21201.vxd
Category : Data Miner
Comment :
Object : c:\WINDOWS\SYSTEM\



SpywareNuker Object Recognized!
Type : File
Data : SpywareNukerInstaller.exe
Category : Malware
Comment :
Object : c:\WINDOWS\Downloaded Program Files\



180Solutions Object Recognized!
Type : File
Data : ncmyb.dll.tcf
Category : Data Miner
Comment :
Object : c:\WINDOWS\



SecondThought Object Recognized!
Type : File
Data : install2.exe.tcf
Category : Data Miner
Comment :
Object : c:\WINDOWS\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : spawner.exe
LegalCopyright : TODO: © <Company name>. All rights reserved.
OriginalFilename : spawner.exe


VX2 Object Recognized!
Type : File
Data : 0021-bdl94126.EXE
Category : Data Miner
Comment :
Object : c:\WINDOWS\



Win32.Revop.Trojan Object Recognized!
Type : File
Data : shizzyp.exe.tcf
Category : Malware
Comment :
Object : c:\WINDOWS\
FileVersion : 5.00.0002
ProductVersion : 5.00.0002
ProductName : mplayer
CompanyName : thunderdome
InternalName : actulice
OriginalFilename : actulice.exe


BlazeFind Object Recognized!
Type : File
Data : Key2.txt
Category : Malware
Comment :
Object : c:\WINDOWS\



VX2 Object Recognized!
Type : File
Data : PREINSTT.EXE.tcf
Category : Data Miner
Comment :
Object : c:\WINDOWS\



VX2 Object Recognized!
Type : File
Data : TWAINTEC.DLL.tcf
Category : Data Miner
Comment :
Object : c:\WINDOWS\
FileVersion : 0, 1, 4, 30
ProductVersion : 0, 1, 4, 30
ProductName : twaintec
CompanyName : Twaintec
FileDescription : www.twain-tech.com
InternalName : twaintec
LegalCopyright : Copyright © 2003
OriginalFilename : twaintec.dll
Comments : www.Twain-Tech.com


180Solutions Object Recognized!
Type : File
Data : wbghcl.exe.tcf
Category : Data Miner
Comment :
Object : c:\WINDOWS\



VX2 Object Recognized!
Type : File
Data : pup.exe
Category : Data Miner
Comment :
Object : c:\Program Files\



ClearSearch Object Recognized!
Type : File
Data : CSIEINST.DLL
Category : Data Miner
Comment :
Object : c:\Program Files\Lycos\IEagent\
FileVersion : 1, 53, 0, 4
ProductVersion : 1, 53, 0, 4
ProductName : CSie
CompanyName : Clear Search
FileDescription : CSie
InternalName : CSie
LegalCopyright : Copyright © 2003, 2004
OriginalFilename : CSie.dll
Comments : build 53d, 04/14/2004


ClearSearch Object Recognized!
Type : File
Data : CSSSINST.DLL
Category : Data Miner
Comment :
Object : c:\Program Files\Lycos\IEagent\
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : CSss
CompanyName : Clear Search
FileDescription : CSss
InternalName : CSss
LegalCopyright : Copyright © 2003, 2004
OriginalFilename : CSss.dll


ClearSearch Object Recognized!
Type : File
Data : CSBIINST.DLL
Category : Data Miner
Comment :
Object : c:\Program Files\Lycos\IEagent\
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : CSbi
CompanyName : Clear Search
FileDescription : CSbi
InternalName : CSbi
LegalCopyright : Copyright © 2003, 2004
OriginalFilename : CSbi.dll


Lycos Sidesearch Object Recognized!
Type : File
Data : sidesearch1400.dll.tcf
Category : Misc
Comment :
Object : c:\Program Files\Lycos\Sidesearch\
FileVersion : 1.4.0.0
ProductVersion : 1.4.0.0
ProductName : Lycos Sidesearch Client
CompanyName : Lycos, Inc.
FileDescription : Lycos Sidesearch Client
InternalName : Lycos Sidesearch Client
LegalCopyright : Copyright © 2004
OriginalFilename : sidesearch.dll


ClearSearch Object Recognized!
Type : File
Data : ClrSchUninstall_78_86.exe.tcf
Category : Data Miner
Comment :
Object : c:\Program Files\Lycos\Sidesearch\
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : Clear Search Uninstaller
FileDescription : Clear Search Uninstaller
InternalName : Clear Search Uninstaller
LegalCopyright : Copyright © 2003
OriginalFilename : ClrSchUninstall.EXE


TopMoxie Object Recognized!
Type : File
Data : WebRebates.exe.tcf
Category : Data Miner
Comment :
Object : c:\Program Files\WebRebates\



Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 29

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL and Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?139343
Object : C:\WINDOWS\Favorites\Links\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : CWS.About:Blank
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\searchassistant uninstall
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/plain
Value : CLSID

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : protocols\filter\text/html
Value : CLSID

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

180Solutions Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38}

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\explorer bars\{30d02401-6a81-11d0-8274-00c04fd5ae38}
Value : BarSize

180Solutions Object Recognized!
Type : File
Data : fiz1
Category : Data Miner
Comment :
Object : C:\WINDOWS\



180Solutions Object Recognized!
Type : File
Data : kyf.dat
Category : Data Miner
Comment :
Object : C:\WINDOWS\



180Solutions Object Recognized!
Type : File
Data : msbb.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileVersion : 5, 6, 0, 15
ProductVersion : 5, 6, 0, 15
ProductName : Search Assistant
CompanyName : 180Solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180Solutions Inc.


SecondThought Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\\temporary

SecondThought Object Recognized!
Type : File
Data : stcterms.html
Category : Data Miner
Comment :
Object : c:\temporary\



VX2 Object Recognized!
Type : File
Data : TWTINI.INF
Category : Malware
Comment :
Object : C:\WINDOWS\inf\



VX2 Object Recognized!
Type : File
Data : TWAINTEC.INI
Category : Malware
Comment :
Object : C:\WINDOWS\



ClearSearch Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {CFBFAE00-17A6-11D0-99CB-00C04FD64497}

Lycos Sidesearch Object Recognized!
Type : Folder
Category : Misc
Comment :
Object : C:\Program Files\lycos\Sidesearch

Lycos Sidesearch Object Recognized!
Type : File
Data : offline.htm
Category : Misc
Comment :
Object : C:\Program Files\lycos\sidesearch\



Lycos Sidesearch Object Recognized!
Type : File
Data : results-lycos-logo.gif
Category : Misc
Comment :
Object : C:\Program Files\lycos\sidesearch\



Lycos Sidesearch Object Recognized!
Type : File
Data : Uninst.exe
Category : Misc
Comment :
Object : C:\Program Files\lycos\sidesearch\



TopMoxie Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\Program Files\WebRebates

TopMoxie Object Recognized!
Type : File
Data : AutoTrack_README1.txt
Category : Data Miner
Comment :
Object : C:\Program Files\webrebates\



TopMoxie Object Recognized!
Type : File
Data : WebRebates.inf
Category : Data Miner
Comment :
Object : C:\Program Files\webrebates\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 25
Objects found so far: 55

11:04:27 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:20.870
Objects scanned:88625
Objects identified:55
Objects ignored:0
New critical objects:55
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello dprocket
Ad-aware has found objects on your computer

If you chose to clean your computer from what Ad-aware found please follow these instructions below…

Please download Download CCleaner and install. Close out the program when it has completed set up (Don't run it yet we will use it later on)

Open Ad-aware click on the Check for updates now
Please make sure that you are using the * SE1R48 30.05.2005 * definition file.


Please launch Ad-Aware SE and click on the gear to access the Configuration Menu. Please make sure that this setting is applied.

Click on Tweak > Cleaning Engine > Uncheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.
Please then boot into Safe Mode,

Please see here if you need help on it Safe Mode


To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
(Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)

Click OK.

Please note that the path above is of the default installion location for Ad-aware SE, if this is different, please adjust it to the location that you have installed it to.

When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

If problems are caused by deleting a family, please leave it.

Please shutdown/restart your computer after removal, run a new full scan and post the results as a reply. Do not launch any programs or connect to the internet at this time.


Please then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Please remember when posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Please post back here
  • 0

#3
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I notice that you stress using the SE1R48 30.05.2005 definition.

THis computer is not connected to the web at the moment. It does not have a network card and I do not plan to install one on it right now. Is there a way for me to manually download this definition, burn to CD and then manually deploy this onto the infected machine? Thanks.
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
You can download it from Here
  • 0

#5
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Just to add it,

Ad-Aware SE Build 1.05


Ad-aware SE Build 1.06r1 has been released.

If possible, please could you burn this to CD or transfer it to this computer.

Intergrated with Build 1.06r1 is a more current definition file
  • 0

#6
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hello, I have done my best to follow your directions to a tee. Here is my updated log file. Thank you in advance for your help.

*****************************************

Ad-Aware SE Build 1.05
Logfile Created on:Tuesday, May 31, 2005 8:41:21 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R48 30.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-31-05 8:41:22 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\clipart gallery\2.0\mrudescription
Description : most recently used description in microsoft clipart gallery


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description : file conversion location settings in musicmatch jukebox


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291776035
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294941383
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294937943
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294959847
Threads : 5
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:5 [RUNDLL32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294841451
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:6 [WINOA386.MOD]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294899711
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Non-Windows application component for 386 enhanced mode
InternalName : WINOLDAP
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : WINOA386.MOD

#:7 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294887679
Threads : 4
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

8:46:25 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:03.520
Objects scanned:67452
Objects identified:0
Objects ignored:0
New critical objects:0
  • 0

#7
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Your logfile is clean.

Do you still have problems?
  • 0

#8
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, I am still suffering from the affects of a virus and or trojan's. Before posting on the hijack this forum, I first wanted to go through the steps outlined over there by first using the AdAware forum. Thank you for your help. I will move past AdAware and onto the next phase of troubleshooting.
  • 0

#9
Guest_Andy_veal_*

Guest_Andy_veal_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#10
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is my Hijack this logfile. I believe I have followed all of the steps requested. Thanks in advance for the help.

Logfile of HijackThis v1.99.1
Scan saved at 10:47:10 PM, on 6/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...oo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {D916C501-C013-11D9-9F05-4445F35090E8} - C:\WINDOWS\SYSTEM\ADDM.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O12 - Plugin for .MOV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
  • 0

Advertisements


#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {D916C501-C013-11D9-9F05-4445F35090E8} - C:\WINDOWS\SYSTEM\ADDM.DLL (file missing)
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

gclib.exe

Restart your computer, Post back a fresh log please,
  • 0

#12
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I followed your instructions. When I restarted, Win98 gave me a message about finding a system/reg file missing and it claimed it restored it. Not sure what that was about. Also, I searched for the file "gclib.exe" and did not find it. This was in safe mode and I have all files showing, including hidden files.

After a fresh restart, here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:21 PM, on 6/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\CONNECTIONMANAGER.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...oo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: (no name) - {D916C501-C013-11D9-9F05-4445F35090E8} - C:\WINDOWS\SYSTEM\ADDM.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [vmtuner] gclib.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E8BC33A0-C013-11D9-9F05-444553540001} - (no file) (HKCU)
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O12 - Plugin for .MOV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
  • 0

#13
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
None of the fix's were removed,

Did you follow the insructions

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”


?
  • 0

#14
dprocket

dprocket

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
yes, I followed the directions, but perhaps i messed up. I did it again and have a new log file. thank you for your patience.

----

Logfile of HijackThis v1.99.1
Scan saved at 9:12:20 PM, on 6/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/...oo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=hpfsched
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\PROGRAM FILES\YAHOO!\COMMON\YCHECKH.DLL
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SBPCISetup] C:\SBPCI\sbsetup.exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManage] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .pcm: C:\PROGRA~1\INTERN~1\PLUGINS\NpCurMem.dll
O12 - Plugin for .MOV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
  • 0

#15
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
That looks clean,
Did you run HJT from safe mode ? or did you disable some of your start ups ?
If the log is from safe mode, I need to see a fresh one run from Normal mode,




I also see you have 2 Anti Virus prgrams running,
I m assuming MCAFEE is your primary Anti Virus and AVG was added, If this is the case and your happy with McAfee please remove AVG and be sure and keep McAfee updated,

Let me know how you make out,

Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP