Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]Aurora and its friends [RESOLVED]

Started by tomac , Jun 01 2005 03:29 PM

  • This topic is locked This topic is locked

#1
tomac
Posted 01 June 2005 - 03:29 PM

tomac

    Member

  • Member
  • PipPip
  • 10 posts
Hi,

I have a slow internet with a pop up problem that started about 2 weeks ago. Aurora being the biggest problem. I have updated and run symantic corp. addition virus software and Ad-Aware. Ad-Aware found a lot of stuff, but I am not sure what to do with it. (If I have some of the settings incorrect please let me know and I will correct them and re-post)

Thanks for you help!

Here is the log file:


Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, June 01, 2005 1:43:56 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):11 total references
EzuLa(TAC index:6):9 total references
Hijacker.TopConverting(TAC index:5):1 total references
ImIServer IEPlugin(TAC index:5):31 total references
MediaMotor(TAC index:8):3 total references
Other(TAC index:5):2 total references
Possible Browser Hijack attempt(TAC index:3):19 total references
PromulGate(TAC index:5):8 total references
Roings(TAC index:8):2 total references
TopSearch(TAC index:5):1 total references
Tracking Cookie(TAC index:3):69 total references
VX2(TAC index:10):56 total references
Zango(TAC index:6):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-1-2005 1:43:56 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 884
ThreadCreationTime : 6-1-2005 6:25:48 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 980
ThreadCreationTime : 6-1-2005 6:25:52 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 1008
ThreadCreationTime : 6-1-2005 6:25:54 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1052
ThreadCreationTime : 6-1-2005 6:25:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1064
ThreadCreationTime : 6-1-2005 6:25:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1328
ThreadCreationTime : 6-1-2005 6:26:00 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1424
ThreadCreationTime : 6-1-2005 6:26:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1564
ThreadCreationTime : 6-1-2005 6:26:02 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1640
ThreadCreationTime : 6-1-2005 6:26:03 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1712
ThreadCreationTime : 6-1-2005 6:26:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 148
ThreadCreationTime : 6-1-2005 6:26:07 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 224
ThreadCreationTime : 6-1-2005 6:26:08 PM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 976
ThreadCreationTime : 6-1-2005 6:26:09 PM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1532
ThreadCreationTime : 6-1-2005 6:26:11 PM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:15 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1556
ThreadCreationTime : 6-1-2005 6:26:11 PM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:16 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1624
ThreadCreationTime : 6-1-2005 6:26:11 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

VX2 Object Recognized!
Type : Process
Data : DrPMon.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


#:17 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 1960
ThreadCreationTime : 6-1-2005 6:26:18 PM
BasePriority : Normal
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:18 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1980
ThreadCreationTime : 6-1-2005 6:26:18 PM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:19 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 1988
ThreadCreationTime : 6-1-2005 6:26:19 PM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:20 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ProcessID : 1904
ThreadCreationTime : 6-1-2005 6:26:19 PM
BasePriority : Normal
FileVersion : 15.03.0.36
ProductVersion : 15.03.0.36
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2002 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:21 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 176
ThreadCreationTime : 6-1-2005 6:26:20 PM
BasePriority : Normal
FileVersion : 6.13.10.3100
ProductVersion : 6.13.10.3100
ProductName : NVIDIA Driver Helper Service, Version 31.00
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.00
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:22 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ProcessID : 420
ThreadCreationTime : 6-1-2005 6:26:21 PM
BasePriority : Normal
FileVersion : 6.03.0.36
ProductVersion : 6.03.0.36
ProductName : Norton Speed Disk
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
LegalCopyright : Copyright © 2002
OriginalFilename : NOPDB.dll

#:23 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 460
ThreadCreationTime : 6-1-2005 6:26:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:24 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 604
ThreadCreationTime : 6-1-2005 6:26:24 PM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:25 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 924
ThreadCreationTime : 6-1-2005 6:26:31 PM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:26 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 956
ThreadCreationTime : 6-1-2005 6:26:31 PM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:27 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2492
ThreadCreationTime : 6-1-2005 6:26:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:28 [usevka.exe]
FilePath : c:\windows\system32\
ProcessID : 3128
ThreadCreationTime : 6-1-2005 6:27:07 PM
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:29 [cthelper.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3660
ThreadCreationTime : 6-1-2005 6:31:55 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE

#:30 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3668
ThreadCreationTime : 6-1-2005 6:31:55 PM
BasePriority : Realtime
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:31 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 3684
ThreadCreationTime : 6-1-2005 6:31:55 PM
BasePriority : Normal
FileVersion : 3.39.0
ProductVersion : 3.39.0
ProductName : InCD
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright © ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:32 [3cshtdwn.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3712
ThreadCreationTime : 6-1-2005 6:31:56 PM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cshtdwn.exe

#:33 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3724
ThreadCreationTime : 6-1-2005 6:31:56 PM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:34 [rmctrl.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3756
ThreadCreationTime : 6-1-2005 6:31:56 PM
BasePriority : Normal


#:35 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3764
ThreadCreationTime : 6-1-2005 6:31:56 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:36 [wf2k.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3824
ThreadCreationTime : 6-1-2005 6:31:58 PM
BasePriority : Normal
FileVersion : 5.13.01.2002-2.38
ProductVersion : 5.00
ProductName : WinFox V2.0 (Windows 95/98//ME/2000/XP)
CompanyName : Leadtek Research Inc.
FileDescription : WinFox V2.0
InternalName : WinFox V2.0
LegalCopyright : Copyright© 2001-2003 Leadtek Research Inc.
OriginalFilename : WF2K.EXE

#:37 [ctsysvol.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\Surround Mixer\
ProcessID : 3832
ThreadCreationTime : 6-1-2005 6:31:59 PM
BasePriority : Normal
FileVersion : 1.1.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTSysVol.exe

#:38 [ctdvddet.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\DVDAudio\
ProcessID : 3860
ThreadCreationTime : 6-1-2005 6:31:59 PM
BasePriority : Normal
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:39 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 3928
ThreadCreationTime : 6-1-2005 6:32:01 PM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:40 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ProcessID : 3968
ThreadCreationTime : 6-1-2005 6:32:02 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 42
ProductVersion : 2, 0, 0, 42
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager

#:41 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 3996
ThreadCreationTime : 6-1-2005 6:32:02 PM
BasePriority : Normal
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2002
OriginalFilename : QTTask.exe

#:42 [saap.exe]
FilePath : C:\program files\180search assistant\
ProcessID : 4052
ThreadCreationTime : 6-1-2005 6:32:05 PM
BasePriority : Normal
FileVersion : 5, 15, 0, 15
ProductVersion : 5, 15, 0, 15
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180solutions Inc.

180Solutions Object Recognized!
Type : Process
Data : saap.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\program files\180search assistant\
FileVersion : 5, 15, 0, 15
ProductVersion : 5, 15, 0, 15
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180solutions Inc.

"C:\program files\180search assistant\saap.exe"Process terminated successfully
"C:\program files\180search assistant\saap.exe"Process terminated successfully

#:43 [nsvsvc.exe]
FilePath : C:\WINDOWS\system32\nsvsvc\
ProcessID : 1828
ThreadCreationTime : 6-1-2005 6:32:06 PM
BasePriority : Normal
FileVersion : 2.17.0000
ProductVersion : 2, 1, 7, 0

#:44 [picsvr.exe]
FilePath : C:\WINDOWS\system32\picsvr\
ProcessID : 336
ThreadCreationTime : 6-1-2005 6:32:07 PM
BasePriority : Normal


#:45 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2012
ThreadCreationTime : 6-1-2005 6:32:08 PM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:46 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 912
ThreadCreationTime : 6-1-2005 6:32:10 PM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:47 [rcman.exe]
FilePath : C:\Program Files\Creative\MediaSource\RemoteControl\
ProcessID : 1100
ThreadCreationTime : 6-1-2005 6:32:11 PM
BasePriority : Normal
FileVersion : 1.0.9.0
ProductVersion : 1.00
ProductName : Creative Media Source
CompanyName : Creative Technology Ltd.
FileDescription : Remote Control Manager
InternalName : RcMan
LegalCopyright : Copyright © Creative Technology Ltd.,2002. All rights reserved.
OriginalFilename : RcMan.EXE

#:48 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2340
ThreadCreationTime : 6-1-2005 6:32:12 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:49 [ctcmsgo.exe]
FilePath : C:\Program Files\Creative\MediaSource\Go\
ProcessID : 2400
ThreadCreationTime : 6-1-2005 6:32:13 PM
BasePriority : Normal
FileVersion : 1.0.26.0
ProductVersion : 1.0.26.0
ProductName : Creative MediaSource Go!
CompanyName : Creative Technology Ltd
FileDescription : Creative MediaSource Go!
InternalName : Creative MediaSource Go!
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTCMSGo.exe

#:50 [reminder.exe]
FilePath : C:\Program Files\U.S. Robotics\ControlCenter\
ProcessID : 2860
ThreadCreationTime : 6-1-2005 6:32:17 PM
BasePriority : Normal


#:51 [scannerfinder.exe]
FilePath : C:\Program Files\Microtek\ScanWizard 5\
ProcessID : 3016
ThreadCreationTime : 6-1-2005 6:32:18 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SDII Application
FileDescription : SDII MFC Application
InternalName : SDII
LegalCopyright : Copyright © 2000
OriginalFilename : SDII.EXE

#:52 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 1136
ThreadCreationTime : 6-1-2005 6:33:49 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:53 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 3896
ThreadCreationTime : 6-1-2005 6:43:44 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:54 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 3260
ThreadCreationTime : 6-1-2005 6:43:44 PM
BasePriority : Normal
FileVersion : 5.2.3790.1159 (dnsrv.040209-1620)
ProductVersion : 5.2.3790.1159
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.41
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 2


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\classes\appid\atlbrowser.exe

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\atlbrowser.exe

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\classes\appid\{0818d423-6247-11d1-abee-00d049c10000}

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\{0818d423-6247-11d1-abee-00d049c10000}

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\classes\atlbrcon.atlbrcon

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlbrcon.atlbrcon

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\classes\atlbrcon.atlbrcon.1

EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : atlbrcon.atlbrcon.1

Hijacker.TopConverting Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2b0eceac-f597-4858-a542-d966b49055b9}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1c896551-8b92-4907-8c06-15db2d1f874a}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{d36f70b1-7df5-4fd4-a765-70ccc8f72cd7}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e2bf1bf3-1fdb-4c93-8874-0b09e71c594c}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f3155057-4c2c-4078-8576-50486693fd49}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.bottomframe

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.bottomframe.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.leftframe

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.leftframe.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupbrowser

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupbrowser.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : imitoolbar.popupwindow.1

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{220959ea-b54c-4201-8df2-1cfac8b59fd7}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3e589169-86ad-44fe-b426-f0bf105d5582}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6a288140-3e1c-4cd9-aac5-e20fdd4f5d64}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7371ad3f-c419-4dc0-8e8a-e21fafad53e0}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{98b2ddba-6da2-4421-af2b-814e98f53649}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e4458b4a-6149-4450-84f2-864adb7e8c52}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wbho.band.1

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e0ce16cb-741c-4b24-8d04-a817856e07f4}

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : iobjsafety.democtl

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.clientinstaller

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.clientinstaller.1

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3d5OfSInst

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUB3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUE3v5nt

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSBath

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSysSInf

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUL3n5Title

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3u5rrentSMode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5tFyl

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3g5noreS

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUL3a5stMotsSDay

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUL3a5stSSChckin

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUS3t5atusOfSInst

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\interface\{41700749-a109-4254-af13-be54011e8783}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073}

PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\classes\vccpgdataaccess.pgdataaccessctrl.1

Roings Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Malware
Comment : "Date"
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\intexp
Value : Date

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 75
Objects found so far: 77


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
  • 0

Advertisements

#2
Guest_Andy_veal_*
Posted 01 June 2005 - 06:26 PM

Guest_Andy_veal_*
  • Guest
Hello there

Please could you complete your current logfile

Please could you find the rest of your logfile and complete posting it here.
Logs are stored in:

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.
There are in order of date,

Make sure you have all the log posted

(The Application Data is a hidden folder, so you will need to show hidden files and folders and for Windows 98*admin users your logs are stored in C:\WINDOWS\All Users\Application Data\ )

This sometimes takes 2-3 posts to get it all posted. You will know you are at the end when you see the "Summary of this scan" information has been posted.

When you have posted your log here, Team Lavasoft can advise on what to do next. Please post back if you have any questions or other problems.

Good luck

Andy
  • 0

#3
tomac
Posted 01 June 2005 - 07:08 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks, here's more...

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearchwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\MainSearch Pagewebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\MainSearch Barwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://websearch.drs...search.cgi?id="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://websearch.drs...search.cgi?id="
Possible Browser Hijack attempt : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\SearchURLwebsearch.drsnsrch.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "websearch.drsnsrch.com/q.cgi?q="
TAC Rating : 8
Category : Malware
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\Software\Microsoft\Internet Explorer\SearchURL
Value :
Data : "websearch.drsnsrch.com/q.cgi?q="

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : HelpLink

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1 "http://www.abetterinternet.com"
TAC Rating : 8
Category : Malware
Comment : (http://www.abetterinternet.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\abi-1
Value : Contact
Trusted zone presumably compromised : media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
Trusted zone presumably compromised : popuppers.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : popuppers.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\popuppers.com
Possible Browser Hijack attempt : {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (http://cabs.media-mo...abs/diamond.cab)

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://cabs.media-mo...abs/diamond.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://cabs.media-mo...abs/diamond.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}
Value : Installer

180Solutions Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment : "saap"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : saap

180Solutions Object Recognized!
Type : File
Data : saap.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : c:\program files\180search assistant\
FileVersion : 5, 15, 0, 15
ProductVersion : 5, 15, 0, 15
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180solutions Inc.


180Solutions Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment : "czshktcv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : czshktcv

180Solutions Object Recognized!
Type : File
Data : czshktcv.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : c:\windows\



Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 19
Objects found so far: 98


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:thomas a. [email protected]/
Expires : 5-31-2007 8:51:40 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@fortunecity[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:thomas a. [email protected]/
Expires : 12-31-2010 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:thomas a. [email protected]/
Expires : 5-30-2010 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:238
Value : Cookie:thomas a. [email protected]/
Expires : 12-31-2009 7:00:00 PM
LastSync : Hits:238
UseCount : 0
Hits : 238

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:19
Value : Cookie:thomas a. [email protected]/
Expires : 3-18-2006 2:11:04 PM
LastSync : Hits:19
UseCount : 0
Hits : 19

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2005 3:37:54 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:16
Value : Cookie:thomas a. [email protected]/
Expires : 3-12-2010 8:08:28 PM
LastSync : Hits:16
UseCount : 0
Hits : 16

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 2-20-2006 10:06:34 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:thomas a. [email protected]/
Expires : 2-27-2005 3:52:08 AM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 5-5-2020 5:45:08 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@domainsponsor[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:thomas a. [email protected]/
Expires : 3-13-2005 3:47:26 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2005 5:55:28 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:7
Value : Cookie:thomas a. [email protected]/
Expires : 1-1-2038
LastSync : Hits:7
UseCount : 0
Hits : 7

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:thomas a. [email protected]/
Expires : 4-27-2005 6:03:08 AM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@bfast[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:thomas a. [email protected]/
Expires : 2-25-2025 11:33:00 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@sextracker[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:47
Value : Cookie:thomas a. [email protected]/
Expires : 2-27-2005 11:52:08 AM
LastSync : Hits:47
UseCount : 0
Hits : 47

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:53
Value : Cookie:thomas a. [email protected]/
Expires : 3-6-2006 12:46:34 PM
LastSync : Hits:53
UseCount : 0
Hits : 53

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@real[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:33
Value : Cookie:thomas a. [email protected]/
Expires : 2-12-2006 7:47:46 PM
LastSync : Hits:33
UseCount : 0
Hits : 33

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:thomas a. [email protected]/
Expires : 4-14-2006 7:50:34 PM
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:thomas a. [email protected]/
Expires : 2-25-2009 1:58:38 AM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2006 2:00:30 AM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:thomas a. [email protected]/
Expires : 3-18-2006 11:39:00 PM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@casalemedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:34
Value : Cookie:thomas a. [email protected]/
Expires : 5-8-2006 2:25:50 PM
LastSync : Hits:34
UseCount : 0
Hits : 34

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:46
Value : Cookie:thomas a. [email protected]/
Expires : 3-18-2006 1:37:36 PM
LastSync : Hits:46
UseCount : 0
Hits : 46

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@sexlist[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:19
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2006 7:47:08 PM
LastSync : Hits:19
UseCount : 0
Hits : 19

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 6-21-2009 7:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@overture[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:thomas a. [email protected]/
Expires : 3-11-2015 7:34:06 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@centrport[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:33
Value : Cookie:thomas a. [email protected]/
Expires : 12-31-2029 7:00:00 PM
LastSync : Hits:33
UseCount : 0
Hits : 33

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:99
Value : Cookie:thomas a. [email protected]/
Expires : 5-31-2006 8:51:50 PM
LastSync : Hits:99
UseCount : 0
Hits : 99

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@serving-sys[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:63
Value : Cookie:thomas a. [email protected]/
Expires : 1-1-2038
LastSync : Hits:63
UseCount : 0
Hits : 63

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:thomas a. [email protected]/
Expires : 3-13-2005 3:47:24 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:42
Value : Cookie:thomas a. [email protected]/
Expires : 5-12-2024 1:07:28 PM
LastSync : Hits:42
UseCount : 0
Hits : 42

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 6-1-2005 1:48:54 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:thomas a. [email protected]/
Expires : 2-25-2006 11:37:34 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@paycounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:thomas a. [email protected]/
Expires : 12-30-2030 8:00:00 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@maxserving[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:thomas a. [email protected]/
Expires : 3-30-2015 8:05:52 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:thomas a. [email protected]/
Expires : 3-25-2005 8:54:54 AM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:42
Value : Cookie:thomas a. [email protected]/
Expires : 5-15-2006 8:21:42 PM
LastSync : Hits:42
UseCount : 0
Hits : 42

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2005 5:54:42 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:69
Value : Cookie:thomas a. [email protected]/
Expires : 12-31-2010 7:00:00 PM
LastSync : Hits:69
UseCount : 0
Hits : 69

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@tradedoubler[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 3-14-2005 8:10:36 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@statcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:40
Value : Cookie:thomas a. [email protected]/
Expires : 4-30-2010 8:34:32 AM
LastSync : Hits:40
UseCount : 0
Hits : 40

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:104
Value : Cookie:thomas a. [email protected]/
Expires : 3-16-2035 9:48:18 PM
LastSync : Hits:104
UseCount : 0
Hits : 104

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@valueclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:thomas a. [email protected]/
Expires : 2-21-2030 12:03:18 AM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value : Cookie:thomas a. [email protected]/
Expires : 4-24-2006 8:16:46 PM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@bluestreak[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:940
Value : Cookie:thomas a. [email protected]/
Expires : 5-30-2015 9:33:54 AM
LastSync : Hits:940
UseCount : 0
Hits : 940

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:16
Value : Cookie:thomas a. [email protected]/
Expires : 12-31-2037 7:00:00 PM
LastSync : Hits:16
UseCount : 0
Hits : 16

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@valueclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:thomas a. [email protected]/
Expires : 3-6-2030 3:00:20 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@tripod[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:thomas a. [email protected]/
Expires : 3-12-2006 3:21:42 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:21
Value : Cookie:thomas a. [email protected]/
Expires : 5-26-2006 11:00:00 PM
LastSync : Hits:21
UseCount : 0
Hits : 21

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@tickle[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:thomas a. [email protected]/
Expires : 2-26-2007 2:02:54 AM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@hitbox[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:90
Value : Cookie:thomas a. [email protected]/
Expires : 5-15-2006 8:21:42 PM
LastSync : Hits:90
UseCount : 0
Hits : 90

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@advertising[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:thomas a. [email protected]/
Expires : 5-31-2010 12:57:48 PM
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@commission-junction[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:thomas a. [email protected]/
Expires : 3-12-2010 8:08:28 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:71
Value : Cookie:thomas a. [email protected]/
Expires : 5-13-2015 9:30:38 PM
LastSync : Hits:71
UseCount : 0
Hits : 71

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:788
Value : Cookie:thomas a. [email protected]/
Expires : 5-31-2010 1:39:24 PM
LastSync : Hits:788
UseCount : 0
Hits : 788

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:thomas a. [email protected]/
Expires : 7-1-2005 12:57:48 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@overstock[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:12
Value : Cookie:thomas a. [email protected]/
Expires : 6-1-2006 1:34:04 PM
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:thomas a. [email protected]/
Expires : 6-2-2005 1:07:48 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 7-22-2006 9:48:48 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:198
Value : Cookie:thomas a. [email protected]/
Expires : 3-19-2006 9:39:18 AM
LastSync : Hits:198
UseCount : 0
Hits : 198

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:thomas a. [email protected]/
Expires : 5-14-2006 3:07:52 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@targetnet[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:thomas a. [email protected]/
Expires : 5-17-2033 10:33:20 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:134
Value : Cookie:thomas a. [email protected]/
Expires : 2-24-2015 1:58:20 AM
LastSync : Hits:134
UseCount : 0
Hits : 134

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@spylog[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:thomas a. [email protected]/
Expires : 11-12-2005 8:38:22 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:thomas a. [email protected]/
Expires : 5-18-2005 4:59:06 AM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:thomas a. [email protected]/
Expires : 4-19-2005
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. [email protected][2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:thomas a. [email protected]/
Expires : 3-14-2006 1:15:54 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : thomas a. cumbow@linksynergy[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:thomas a. [email protected]/
Expires : 5-27-2025 1:34:04 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 69
Objects found so far: 167



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : File
Data : DrPMon[1].dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Documents and Settings\Thomas A. Cumbow\Local Settings\Temporary Internet Files\Content.IE5\GHYFSHM7\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


VX2 Object Recognized!
Type : File
Data : Poller[1].exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Documents and Settings\Thomas A. Cumbow\Local Settings\Temporary Internet Files\Content.IE5\GL6VOLIB\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : aurora[1].exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\Documents and Settings\Thomas A. Cumbow\Local Settings\Temporary Internet Files\Content.IE5\ODABW9EV\



VX2 Object Recognized!
Type : File
Data : A0020355.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP100\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020044.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP97\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020059.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP97\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020073.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP97\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020088.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP97\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020104.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP97\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020129.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020135.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020147.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020157.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020169.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


Zango Object Recognized!
Type : File
Data : A0020171.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\



VX2 Object Recognized!
Type : File
Data : A0020174.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020179.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1.0.2.4
ProductVersion : 1.0.2.4
ProductName : Buddy Window
CompanyName : Direct Revenue
FileDescription : Buddy
InternalName : Buddy.exe
LegalCopyright : © Direct Revenue. All rights reserved.
OriginalFilename : Buddy.exe
Comments : Browser window for Direct Revenue


VX2 Object Recognized!
Type : File
Data : A0020186.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP98\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020298.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP99\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020305.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP99\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : DrPMon.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


ImIServer IEPlugin Object Recognized!
Type : File
Data : tdtb.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileVersion : 5.0.2001.10043
ProductVersion : 2001, 0, 0, 0
ProductName : MimarSinan Emissary, MimarSinan Charm Family
CompanyName : Mimar Sinan International
FileDescription : Emissary
InternalName : autonomy
LegalCopyright : Copyright © 1992-2000 Mimar Sinan International. All rights reserved.
OriginalFilename : autonomy.exe


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 189


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 189


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

TopSearch Object Recognized!
Type : File
Data : TopSearch.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : G:\KazaaKmd\
FileVersion : 1, 0, 0, 9
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Inc. TopSearch
CompanyName : Altnet Inc.
FileDescription : TopSearch
InternalName : TopSearch
LegalCopyright : Copyright Altnet Inc. © 2002
OriginalFilename : TopSearch.dll


Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 190


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 190



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Computers & Internet Hardware - Live!.url
TAC Rating : 5
Category : Misc
Comment : Problematic URL discovered: http://live.looksmar...8.dat:000525222
Object : C:\Documents and Settings\Thomas A. Cumbow\Favorites\01-Computers\Info\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : LookSmart - Directory - Window Cleaning Advice.url
TAC Rating : 5
Category : Misc
Comment : Problematic URL discovered: http://search.looksm...62882/us935206/
Object : C:\Documents and Settings\Thomas A. Cumbow\Favorites\homemade cleaners\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\control\print\monitors\zepmon

VX2 Ob
  • 0

#4
tomac
Posted 01 June 2005 - 07:10 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
And even more...

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\controlset001\control\print\monitors\zepmon

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\control\print\monitors\zepmon

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions
Value : iexplore.exe

VX2 Object Recognized!
Type : Folder
TAC Rating : 10
Category : Malware
Comment : VX2
Object : C:\DOCUME~1\THOMAS~1.CUM\LOCALS~1\Temp\DrTemp

VX2 Object Recognized!
Type : File
Data : birthstonesmjmini.zip
TAC Rating : 10
Category : Malware
Comment :
Object : C:\DOCUME~1\THOMAS~1.CUM\LOCALS~1\Temp\



180Solutions Object Recognized!
Type : Folder
TAC Rating : 6
Category : Data Miner
Comment : 180Solutions
Object : C:\Program Files\180search Assistant

180Solutions Object Recognized!
Type : File
Data : saap.log
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Program Files\180search assistant\



180Solutions Object Recognized!
Type : File
Data : saapau.dat
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Program Files\180search assistant\



180Solutions Object Recognized!
Type : File
Data : saaphook.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Program Files\180search assistant\
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
ProductName : ncmyb Dynamic Link Library
CompanyName : 180solutions, inc.
FileDescription : Browser Integrations Module
InternalName : ncmyb
LegalCopyright : Copyright © 2005
OriginalFilename : ncmyb.dll


180Solutions Object Recognized!
Type : File
Data : saap_gdf.dat
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Program Files\180search assistant\



180Solutions Object Recognized!
Type : File
Data : saap_kyf.dat
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\Program Files\180search assistant\



EzuLa Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : remove

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : Version

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : Date

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : bid

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}

ImIServer IEPlugin Object Recognized!
Type : File
Data : redir.txt
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\WINDOWS\



MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mm

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}

Zango Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{99410cde-6f16-42ce-9d49-3807f78f0287}
Value : SystemComponent

Zango Object Recognized!
Type : File
Data : clientax.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\WINDOWS\downloaded program files\
FileVersion : 6, 1, 2, 0
ProductVersion : 6, 1, 2, 0
ProductName : 180SAAX
CompanyName : 180solutions
FileDescription : ClientAX
InternalName : ClientAX.dll
LegalCopyright : © 180solutions, 2004. All rights reserved.
OriginalFilename : ClientAX.dll
Comments : /DID=000998


Zango Object Recognized!
Type : File
Data : ClientAX.inf
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\WINDOWS\downloaded program files\



PromulGate Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\dvx

PromulGate Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\dvx
Value : id

Roings Object Recognized!
Type : File
Data : objsafe.tlb
TAC Rating : 8
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



Other Object Recognized!
Type : File
Data : SAAP.EXE-09FB3219.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\



Other Object Recognized!
Type : File
Data : CZSHKTCV.EXE-1C49281A.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 30
Objects found so far: 222

2:06:45 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:22:48.839
Objects scanned:183925
Objects identified:223
Objects ignored:0
New critical objects:223
  • 0

#5
Guest_Andy_veal_*
Posted 02 June 2005 - 05:04 AM

Guest_Andy_veal_*
  • Guest
Hello and Welcome

Ad-aware has found objects on your computer

If you chose to clean your computer from what Ad-aware found please follow these instructions below…

Please make sure that you are using the * SE1R49 31.05.2005 * definition file.


Please launch Ad-Aware SE and click on the gear to access the Configuration Menu. Please make sure that this setting is applied.

Click on Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Please then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Please run CCleaner to assist in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click OK.

Please note that the path above is of the default installion location for Ad-aware SE, if this is different, please adjust it to the location that you have installed it to.

When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.

If problems are caused by deleting a family, please leave it.

Please shutdown/restart your computer after removal, run a new full scan and post the results as a reply. Do not launch any programs or connect to the internet at this time.

Please then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Please remember when posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (MRU's) are not considered to be a threat. This option can be changed when choosing your scan type.

Please post back here

Good luck

Andy
  • 0

#6
tomac
Posted 07 June 2005 - 08:51 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey,

Sorry for the late reply, I was out of town for a few days. I am posting the new results after following the instructions and running Ad-Aware after running ccleaner.

Thanks!

Here are the results...


Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, June 07, 2005 9:18:35 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):2 total references
ImIServer IEPlugin(TAC index:5):2 total references
MRU List(TAC index:0):28 total references
TopSearch(TAC index:5):1 total references
VX2(TAC index:10):22 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-7-2005 9:18:35 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 836
ThreadCreationTime : 6-8-2005 2:12:32 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 932
ThreadCreationTime : 6-8-2005 2:12:36 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 956
ThreadCreationTime : 6-8-2005 2:12:37 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1004
ThreadCreationTime : 6-8-2005 2:12:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1016
ThreadCreationTime : 6-8-2005 2:12:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1256
ThreadCreationTime : 6-8-2005 2:12:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1344
ThreadCreationTime : 6-8-2005 2:12:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1384
ThreadCreationTime : 6-8-2005 2:12:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1436
ThreadCreationTime : 6-8-2005 2:12:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1548
ThreadCreationTime : 6-8-2005 2:12:43 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1808
ThreadCreationTime : 6-8-2005 2:12:46 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1824
ThreadCreationTime : 6-8-2005 2:12:46 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1876
ThreadCreationTime : 6-8-2005 2:12:47 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2004
ThreadCreationTime : 6-8-2005 2:12:47 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:15 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2040
ThreadCreationTime : 6-8-2005 2:12:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:16 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 112
ThreadCreationTime : 6-8-2005 2:12:48 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:17 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 320
ThreadCreationTime : 6-8-2005 2:12:48 AM
BasePriority : Normal
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:18 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 340
ThreadCreationTime : 6-8-2005 2:12:48 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:19 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 356
ThreadCreationTime : 6-8-2005 2:12:48 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:20 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ProcessID : 412
ThreadCreationTime : 6-8-2005 2:12:49 AM
BasePriority : Normal
FileVersion : 15.03.0.36
ProductVersion : 15.03.0.36
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2002 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:21 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 440
ThreadCreationTime : 6-8-2005 2:12:49 AM
BasePriority : Normal
FileVersion : 6.13.10.3100
ProductVersion : 6.13.10.3100
ProductName : NVIDIA Driver Helper Service, Version 31.00
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.00
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:22 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ProcessID : 644
ThreadCreationTime : 6-8-2005 2:12:50 AM
BasePriority : Normal
FileVersion : 6.03.0.36
ProductVersion : 6.03.0.36
ProductName : Norton Speed Disk
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
LegalCopyright : Copyright © 2002
OriginalFilename : NOPDB.dll

#:23 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 716
ThreadCreationTime : 6-8-2005 2:12:51 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:24 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 784
ThreadCreationTime : 6-8-2005 2:12:52 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:25 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 876
ThreadCreationTime : 6-8-2005 2:12:54 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:26 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 920
ThreadCreationTime : 6-8-2005 2:12:55 AM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:27 [cthelper.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1276
ThreadCreationTime : 6-8-2005 2:12:57 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE

#:28 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 1288
ThreadCreationTime : 6-8-2005 2:12:57 AM
BasePriority : Realtime
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:29 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1444
ThreadCreationTime : 6-8-2005 2:12:59 AM
BasePriority : Normal
FileVersion : 3.39.0
ProductVersion : 3.39.0
ProductName : InCD
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright © ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:30 [3cshtdwn.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 1484
ThreadCreationTime : 6-8-2005 2:12:59 AM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cshtdwn.exe

#:31 [rmctrl.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1592
ThreadCreationTime : 6-8-2005 2:13:01 AM
BasePriority : Normal


#:32 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1584
ThreadCreationTime : 6-8-2005 2:13:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:33 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 1640
ThreadCreationTime : 6-8-2005 2:13:01 AM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:34 [wf2k.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1676
ThreadCreationTime : 6-8-2005 2:13:02 AM
BasePriority : Normal
FileVersion : 5.13.01.2002-2.38
ProductVersion : 5.00
ProductName : WinFox V2.0 (Windows 95/98//ME/2000/XP)
CompanyName : Leadtek Research Inc.
FileDescription : WinFox V2.0
InternalName : WinFox V2.0
LegalCopyright : Copyright© 2001-2003 Leadtek Research Inc.
OriginalFilename : WF2K.EXE

#:35 [ctsysvol.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\Surround Mixer\
ProcessID : 1656
ThreadCreationTime : 6-8-2005 2:13:03 AM
BasePriority : Normal
FileVersion : 1.1.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTSysVol.exe

#:36 [ctdvddet.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\DVDAudio\
ProcessID : 1692
ThreadCreationTime : 6-8-2005 2:13:03 AM
BasePriority : Normal
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:37 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 2100
ThreadCreationTime : 6-8-2005 2:13:04 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:38 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ProcessID : 2160
ThreadCreationTime : 6-8-2005 2:13:05 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 42
ProductVersion : 2, 0, 0, 42
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager

#:39 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2176
ThreadCreationTime : 6-8-2005 2:13:06 AM
BasePriority : Normal
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2002
OriginalFilename : QTTask.exe

#:40 [nsvsvc.exe]
FilePath : C:\WINDOWS\system32\nsvsvc\
ProcessID : 2240
ThreadCreationTime : 6-8-2005 2:13:07 AM
BasePriority : Normal
FileVersion : 2.17.0000
ProductVersion : 2, 1, 7, 0

#:41 [picsvr.exe]
FilePath : C:\WINDOWS\system32\picsvr\
ProcessID : 2252
ThreadCreationTime : 6-8-2005 2:13:07 AM
BasePriority : Normal


#:42 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2264
ThreadCreationTime : 6-8-2005 2:13:08 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:43 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 2280
ThreadCreationTime : 6-8-2005 2:13:08 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:44 [rcman.exe]
FilePath : C:\Program Files\Creative\MediaSource\RemoteControl\
ProcessID : 2344
ThreadCreationTime : 6-8-2005 2:13:10 AM
BasePriority : Normal
FileVersion : 1.0.9.0
ProductVersion : 1.00
ProductName : Creative Media Source
CompanyName : Creative Technology Ltd.
FileDescription : Remote Control Manager
InternalName : RcMan
LegalCopyright : Copyright © Creative Technology Ltd.,2002. All rights reserved.
OriginalFilename : RcMan.EXE

#:45 [ysuqyv.exe]
FilePath : c:\windows\system32\
ProcessID : 2340
ThreadCreationTime : 6-8-2005 2:13:10 AM
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:46 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2396
ThreadCreationTime : 6-8-2005 2:13:11 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:47 [ctcmsgo.exe]
FilePath : C:\Program Files\Creative\MediaSource\Go\
ProcessID : 2468
ThreadCreationTime : 6-8-2005 2:13:13 AM
BasePriority : Normal
FileVersion : 1.0.26.0
ProductVersion : 1.0.26.0
ProductName : Creative MediaSource Go!
CompanyName : Creative Technology Ltd
FileDescription : Creative MediaSource Go!
InternalName : Creative MediaSource Go!
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTCMSGo.exe

#:48 [reminder.exe]
FilePath : C:\Program Files\U.S. Robotics\ControlCenter\
ProcessID : 2928
ThreadCreationTime : 6-8-2005 2:13:23 AM
BasePriority : Normal


#:49 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2964
ThreadCreationTime : 6-8-2005 2:13:24 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:50 [scannerfinder.exe]
FilePath : C:\Program Files\Microtek\ScanWizard 5\
ProcessID : 3016
ThreadCreationTime : 6-8-2005 2:13:25 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SDII Application
FileDescription : SDII MFC Application
InternalName : SDII
LegalCopyright : Copyright © 2000
OriginalFilename : SDII.EXE

#:51 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3916
ThreadCreationTime : 6-8-2005 2:13:56 AM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:52 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3972
ThreadCreationTime : 6-8-2005 2:14:08 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5tFyl

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 46


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 46



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

180Solutions Object Recognized!
Type : File
Data : A0020627.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 5, 15, 0, 15
ProductVersion : 5, 15, 0, 15
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180solutions Inc.


180Solutions Object Recognized!
Type : File
Data : A0020629.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\



VX2 Object Recognized!
Type : File
Data : A0020630.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020631.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


VX2 Object Recognized!
Type : File
Data : A0020632.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.


ImIServer IEPlugin Object Recognized!
Type : File
Data : A0020633.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 8, 1
ProductVersion : 1, 0, 8, 1
ProductName : wbho Module
FileDescription : wbho Module
InternalName : wbho
LegalCopyright : Copyright 2004
OriginalFilename : wbho.DLL


VX2 Object Recognized!
Type : File
Data : A0020634.dll
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


ImIServer IEPlugin Object Recognized!
Type : File
Data : A0020635.exe
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 5.0.2001.10043
ProductVersion : 2001, 0, 0, 0
ProductName : MimarSinan Emissary, MimarSinan Charm Family
CompanyName : Mimar Sinan International
FileDescription : Emissary
InternalName : autonomy
LegalCopyright : Copyright © 1992-2000 Mimar Sinan International. All rights reserved.
OriginalFilename : autonomy.exe


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 54


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 54


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

TopSearch Object Recognized!
Type : File
Data : A0020636.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : G:\System Volume Information\_restore{FBB87E07-C7F0-482C-8730-93017FB44ED0}\RP102\
FileVersion : 1, 0, 0, 9
ProductVersion : 1, 0, 0, 0
ProductName : Altnet Inc. TopSearch
CompanyName : Altnet Inc.
FileDescription : TopSearch
InternalName : TopSearch
LegalCopyright : Copyright Altnet Inc. © 2002
OriginalFilename : TopSearch.dll


Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 55


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 55




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 55

9:37:09 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:34.232
Objects scanned:149460
Objects identified:27
Objects ignored:0
New critical objects:27
  • 0

#7
don77
Posted 09 June 2005 - 03:57 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi tomac,
  • Download Pocket Killbox from. Here
  • Paste the full file path c:\windows\system32\ysuqyv.exe in the box and click on Delete on Reboot.
  • Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?"
  • Click "Yes"
  • Let the system reboot
Next
  • Please try this process please. It would be worth printing out a copy of the instructions.


  • First please go to http://www.lavasoftu...x2cleaner.shtml . Download and install the VX2 Plug-in as described there, but do not run it yet.


  • Disconnect from the Internet, some VX2 objects can re-install themselves if you are connected.


  • Close all running applications including all Internet Explorer or alternate browser sessions.


  • Run the VX2 cleaner plug-in: In Ad-Aware SE Go to “Add-Ons”, select the VX2 Cleaner plug-in and click “Run Tool”


  • If your computer isn’t infected, click “Close”. If your computer is infected, select “Clean System”


  • Shutdown/restart your computer (do NOT connect to the Internet on re-boot). If Ad-Aware SE is open please close it. Make sure all applications are closed.

    Important: check that your last scan was a "Full System Scan". If not, please select that option and start a scan, cancelling the scan after it starts. The object is to ensure that a full system scan will run in the following step.

    Click "Start" > select "Run" > type the text shown in bold below (including the quotation marks and with the same spacing as shown)



    "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke

    Click OK.

    Note: If you used a different path to the default for installing Ad-Aware SE Pro change the path as appropriate.


  • When the scan has completed, select Next. In the Scanning Results window, select the "Scan Summary" tab. Check the box next to each "target family" you wish to remove. Click next, Click OK.


  • Please shutdown/restart your computer after removal. Run a new full scan. Do NOT connect to the Internet until completing a new full scan.


  • After the scan is complete, reconnect to the Internet and post the logfile from this latest scan.



    If you have any questions, please don't hesitate to ask. Thank you.

  • 0

#8
tomac
Posted 10 June 2005 - 06:55 AM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for your help Don77,

My log file is below...

I have cable internet, but I did not open internet explorer to connect while running Ad-Aware, but the number of objects found increased the longer I kept my computer on. The 1st time I ran adaware it found 54 objects and after I finished, restarted, and ran adaware again it found 72 objects! Once I physically disconnected my internet cable and left it disconnected the number of critical objects finally stayed down at 18 through two more Ad-Aware scans. The vx2 cleaner never found any objects to clean, but the aurora vx2's are a stubborn bunch I think.

Does this mean that my computer is wide open to attacks? How can I protect my computer from these kinds of attacks? I have symantec corporate edition virus software and I use a pop up blocker and Spybot, also I have a router with a double firewall. Any recommendations?


Thanks for you help!

Tomac


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, June 09, 2005 8:59:13 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2(TAC index:10):18 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-9-2005 8:59:13 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 812
ThreadCreationTime : 6-10-2005 1:56:48 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 936
ThreadCreationTime : 6-10-2005 1:56:52 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 960
ThreadCreationTime : 6-10-2005 1:56:53 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1008
ThreadCreationTime : 6-10-2005 1:56:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1020
ThreadCreationTime : 6-10-2005 1:56:54 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1260
ThreadCreationTime : 6-10-2005 1:56:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1348
ThreadCreationTime : 6-10-2005 1:56:57 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1388
ThreadCreationTime : 6-10-2005 1:56:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1448
ThreadCreationTime : 6-10-2005 1:56:58 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1556
ThreadCreationTime : 6-10-2005 1:56:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1812
ThreadCreationTime : 6-10-2005 1:57:02 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1828
ThreadCreationTime : 6-10-2005 1:57:02 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1884
ThreadCreationTime : 6-10-2005 1:57:03 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2008
ThreadCreationTime : 6-10-2005 1:57:04 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:15 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2044
ThreadCreationTime : 6-10-2005 1:57:04 AM
BasePriority : Normal
FileVersion : 5,13,00,00
ProductVersion : 5,13,00,00
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2000 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:16 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 148
ThreadCreationTime : 6-10-2005 1:57:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:17 [cdac11ba.exe]
FilePath : C:\WINDOWS\System32\drivers\
ProcessID : 316
ThreadCreationTime : 6-10-2005 1:57:04 AM
BasePriority : Normal
FileVersion : 4.16.050
ProductVersion : 4.16.050 Windows NT 2002/04/24
ProductName : SafeCast Windows NT
CompanyName : Macrovision
FileDescription : Macrovision RTS Service
InternalName : CDANTSRV
LegalCopyright : Copyright © 1998-2002 Macrovision Corp.
OriginalFilename : CDANTSRV.EXE
Comments : StringFileInfo: U.S. English

#:18 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 336
ThreadCreationTime : 6-10-2005 1:57:04 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:19 [defwatch.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 364
ThreadCreationTime : 6-10-2005 1:57:05 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
LegalCopyright : Copyright 1998 - 2004 Symantec Corporation. All rights reserved.
OriginalFilename : DefWatch.exe

#:20 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ProcessID : 424
ThreadCreationTime : 6-10-2005 1:57:05 AM
BasePriority : Normal
FileVersion : 15.03.0.36
ProductVersion : 15.03.0.36
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2002 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE

#:21 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 448
ThreadCreationTime : 6-10-2005 1:57:05 AM
BasePriority : Normal
FileVersion : 6.13.10.3100
ProductVersion : 6.13.10.3100
ProductName : NVIDIA Driver Helper Service, Version 31.00
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 31.00
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:22 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ProcessID : 620
ThreadCreationTime : 6-10-2005 1:57:06 AM
BasePriority : Normal
FileVersion : 6.03.0.36
ProductVersion : 6.03.0.36
ProductName : Norton Speed Disk
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
LegalCopyright : Copyright © 2002
OriginalFilename : NOPDB.dll

#:23 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 696
ThreadCreationTime : 6-10-2005 1:57:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:24 [rtvscan.exe]
FilePath : C:\Program Files\Symantec AntiVirus\
ProcessID : 784
ThreadCreationTime : 6-10-2005 1:57:08 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:25 [cthelper.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 916
ThreadCreationTime : 6-10-2005 1:57:15 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 11
ProductVersion : 1, 0, 0, 11
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE

#:26 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 980
ThreadCreationTime : 6-10-2005 1:57:15 AM
BasePriority : Realtime
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:27 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1128
ThreadCreationTime : 6-10-2005 1:57:15 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:28 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1276
ThreadCreationTime : 6-10-2005 1:57:16 AM
BasePriority : Normal
FileVersion : 3.39.0
ProductVersion : 3.39.0
ProductName : InCD
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
LegalCopyright : Copyright © ahead software gmbh and its licensors
OriginalFilename : InCD.EXE
Comments : CD-RW UDF Tools

#:29 [3cshtdwn.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 1508
ThreadCreationTime : 6-10-2005 1:57:17 AM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cshtdwn.exe

#:30 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1540
ThreadCreationTime : 6-10-2005 1:57:17 AM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:31 [rmctrl.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1536
ThreadCreationTime : 6-10-2005 1:57:17 AM
BasePriority : Normal


#:32 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1592
ThreadCreationTime : 6-10-2005 1:57:17 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:33 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 1652
ThreadCreationTime : 6-10-2005 1:57:18 AM
BasePriority : Normal
FileVersion : 5.00.000.156
ProductVersion : 5.00.000.156
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright © © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:34 [wf2k.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1676
ThreadCreationTime : 6-10-2005 1:57:18 AM
BasePriority : Normal
FileVersion : 5.13.01.2002-2.38
ProductVersion : 5.00
ProductName : WinFox V2.0 (Windows 95/98//ME/2000/XP)
CompanyName : Leadtek Research Inc.
FileDescription : WinFox V2.0
InternalName : WinFox V2.0
LegalCopyright : Copyright© 2001-2003 Leadtek Research Inc.
OriginalFilename : WF2K.EXE

#:35 [ctsysvol.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\Surround Mixer\
ProcessID : 1724
ThreadCreationTime : 6-10-2005 1:57:19 AM
BasePriority : Normal
FileVersion : 1.1.3.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTSysVol.exe

#:36 [ctdvddet.exe]
FilePath : C:\Program Files\Creative\SBAudigy2\DVDAudio\
ProcessID : 1768
ThreadCreationTime : 6-10-2005 1:57:20 AM
BasePriority : Normal
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:37 [mjxogio.exe]
FilePath : c:\windows\system32\
ProcessID : 1764
ThreadCreationTime : 6-10-2005 1:57:20 AM
BasePriority : Normal
FileVersion : 1, 1, 0, 3
ProductVersion : 0, 0, 7, 0

#:38 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 2128
ThreadCreationTime : 6-10-2005 1:57:22 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:39 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ProcessID : 2188
ThreadCreationTime : 6-10-2005 1:57:23 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 42
ProductVersion : 2, 0, 0, 42
ProductName : Viewpoint Manager
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
LegalCopyright : Copyright © 2004
OriginalFilename : ViewMgr.exe
Comments : Viewpoint Manager

#:40 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 2204
ThreadCreationTime : 6-10-2005 1:57:23 AM
BasePriority : Normal
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2002
OriginalFilename : QTTask.exe

#:41 [nsvsvc.exe]
FilePath : C:\WINDOWS\system32\nsvsvc\
ProcessID : 2224
ThreadCreationTime : 6-10-2005 1:57:24 AM
BasePriority : Normal
FileVersion : 2.17.0000
ProductVersion : 2, 1, 7, 0

#:42 [picsvr.exe]
FilePath : C:\WINDOWS\system32\picsvr\
ProcessID : 2236
ThreadCreationTime : 6-10-2005 1:57:25 AM
BasePriority : Normal


#:43 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 2312
ThreadCreationTime : 6-10-2005 1:57:25 AM
BasePriority : Normal
FileVersion : 2.2.2.008
ProductVersion : 2.2.2.008
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:44 [vptray.exe]
FilePath : C:\PROGRA~1\SYMANT~1\
ProcessID : 2420
ThreadCreationTime : 6-10-2005 1:57:27 AM
BasePriority : Normal
FileVersion : 9.0.3.1000
ProductVersion : 9.0.3.1000
ProductName : Symantec AntiVirus
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
LegalCopyright : Copyright 1991 - 2004 Symantec Corporation. All rights reserved.

#:45 [rcman.exe]
FilePath : C:\Program Files\Creative\MediaSource\RemoteControl\
ProcessID : 2468
ThreadCreationTime : 6-10-2005 1:57:28 AM
BasePriority : Normal
FileVersion : 1.0.9.0
ProductVersion : 1.00
ProductName : Creative Media Source
CompanyName : Creative Technology Ltd.
FileDescription : Remote Control Manager
InternalName : RcMan
LegalCopyright : Copyright © Creative Technology Ltd.,2002. All rights reserved.
OriginalFilename : RcMan.EXE

#:46 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2580
ThreadCreationTime : 6-10-2005 1:57:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:47 [ctcmsgo.exe]
FilePath : C:\Program Files\Creative\MediaSource\Go\
ProcessID : 2596
ThreadCreationTime : 6-10-2005 1:57:29 AM
BasePriority : Normal
FileVersion : 1.0.26.0
ProductVersion : 1.0.26.0
ProductName : Creative MediaSource Go!
CompanyName : Creative Technology Ltd
FileDescription : Creative MediaSource Go!
InternalName : Creative MediaSource Go!
LegalCopyright : Copyright © Creative Technology Ltd., 2002. All rights reserved.
OriginalFilename : CTCMSGo.exe

#:48 [reminder.exe]
FilePath : C:\Program Files\U.S. Robotics\ControlCenter\
ProcessID : 2740
ThreadCreationTime : 6-10-2005 1:57:32 AM
BasePriority : Normal


#:49 [scannerfinder.exe]
FilePath : C:\Program Files\Microtek\ScanWizard 5\
ProcessID : 2804
ThreadCreationTime : 6-10-2005 1:57:34 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : SDII Application
FileDescription : SDII MFC Application
InternalName : SDII
LegalCopyright : Copyright © 2000
OriginalFilename : SDII.EXE

#:50 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3012
ThreadCreationTime : 6-10-2005 1:57:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:51 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3908
ThreadCreationTime : 6-10-2005 1:58:12 AM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:52 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3996
ThreadCreationTime : 6-10-2005 1:58:37 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5trMsgSDisp

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky1S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky2S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky3S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUs3t5icky4S

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC1o3d5eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3i5m7eOfSFinalAd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUD3s5tSSEnd

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AU3N5a7tionSCode

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUP3D5om

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSCheckSIn

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUT3h5rshSMots

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUM3o5deSSync

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSCab

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSEx

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUI3n5ProgSLstest

VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-343818398-839522115-1343024091-1003\software\aurora
Value : AUC3n5tFyl

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 18


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 18




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18

9:18:13 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:59.498
Objects scanned:151279
Objects identified:18
Objects ignored:0
New critical objects:18
  • 0

#9
don77
Posted 10 June 2005 - 06:59 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#10
tomac
Posted 11 June 2005 - 06:25 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi,

Donn77 thanks for referring me to the Malware Removal forum. I have downloaded and ran HiJackThis according to step 5 and I am posting the log.
Thanks again for all the help!

Tomac

Here it is...

Logfile of HijackThis v1.99.1
Scan saved at 7:04:42 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
c:\windows\system32\rboiqa.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [jpksvg] c:\windows\system32\bulzqz.exe
O4 - HKLM\..\Run: [foirgi] c:\windows\system32\rboiqa.exe r
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuwe...LDownloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...dio/ChkDVD2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100398092140
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\Resources\IntraLaunch.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#11
don77
Posted 12 June 2005 - 06:11 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi tomac
    • Please set your system to show
      all files; please see here if you're unsure how to do this.
    • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

      O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
      O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
      O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
      O4 - HKLM\..\Run: [jpksvg] c:\windows\system32\bulzqz.exe
      O4 - HKLM\..\Run: [foirgi] c:\windows\system32\rboiqa.exe r
      O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

      Click on Fix Checked when finished and exit HijackThis.
    • Reboot into Safe Mode: please see here if you are not sure how to do this.


      Using Windows Explorer, locate the following files/folders, and delete them:

      C:\WINDOWS\seeve.exe
      C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
      C:\WINDOWS\system32\picsvr\picsvr.exe
      c:\windows\system32\bulzqz.exe
      c:\windows\system32\rboiqa.exe
      Exit Explorer, and reboot as normal afterwards.
    • Please download Download CCleaner and install.
      Please run CCleaner to assist in this process.
      (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)
    • C:\Windows\Temp\
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
    • C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Empty your "Recycle Bin".

    • Please download Ewido security suite it is a trial version of the program.
    • Install Ewido security suite
    • Launch Ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    The update will start and a progress bar will show the updates being installed.
    Once the updates are installed do the following:
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
[/list]Post back a fresh HijackThis log and the log from Ewido we will take another look.
  • 0

#12
tomac
Posted 12 June 2005 - 12:14 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Don77,

I have a few of questions before I reconnect to the internet.

I have remained unplugged from the internet during this process (I have been using my wife's computer to download programs and post the logs). When I did plug back in I couldn't reconnect. I think I have to run the winsockfix utility to get back online.

I did not find the following files/folders after reboot: bulzqz.exe, seeve.exe or rboiqa.exe. So, I am assuming that HJT took care of them.

I did find the folders: nsvsvc.exe and picsvr.exe and deleted them. I also found an aurora icon: nqjibgxes.exe and the file: Nail.exe. Are these dangerous files and will they cause trouble when I do reconnect?

The file, svcproc.exe, I check marked for deletion, but I noticed it came back after reboot. I also ran ccleaner and took out the trash. I have not run the ewido security suite yet, if you think it is ok to reconnect the cable and If winsockfix works then I will run it immediately. I think I am becomming a little paranoid at this point! :tazz:

Thanks, I appreciate your patience!

Tomac

So, without further ado here is the next HJT log file...

Logfile of HijackThis v1.99.1
Scan saved at 12:56:41 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
c:\windows\system32\avmzgks.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ngzgwo] c:\windows\system32\avmzgks.exe r
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuwe...LDownloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...dio/ChkDVD2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100398092140
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\Resources\IntraLaunch.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
don77
Posted 12 June 2005 - 12:41 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry I should have spotted your unpluged from the net,

The file, svcproc.exe, I check marked for deletion, but I noticed it came back after reboot. I also ran ccleaner and took out the trash. I have not run the ewido security suite yet, if you think it is ok to reconnect the cable and If winsockfix works then I will run it immediately. I think I am becomming a little paranoid at this point!


Need you to reconnect to the net, We will need to get rid of Nail.
Running Ewido will help but we will likely have a few moree things to clean


http://www.geekstogo...n=download&id=7

winsock repair,

After you reconnect please post a fresh HJT log please
  • 0

#14
tomac
Posted 12 June 2005 - 08:32 PM

tomac

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok,

I reconnected with the help of Winsockxp utility and ran the first ewido scan and at 89.2% it incountered a problem and had to close. So, I ran it again, and ran HJT agian and I am posting the logs now. Good luck to the both of us!

Thanks again,

Tomac

HJT first then ewido...

Logfile of HijackThis v1.99.1
Scan saved at 9:15:24 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\SYSTEM32\3cshtdwn.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SYSTEM32\3cmlink.exe
C:\WINDOWS\System32\rmctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SCB
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Instant Update Reminder.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: Save with Download Manager... - C:\Program Files\Media Jukebox\DMDownload.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuwe...LDownloader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...dio/ChkDVD2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100398092140
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\Resources\IntraLaunch.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

EWIDO Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:07:25 PM, 6/12/2005
+ Report-Checksum: 657D8650

+ Date of database: 6/12/2005
+ Version of scan engine: v3.0

+ Duration: 122 min
+ Scanned Files: 188599
+ Speed: 25.67 Files/Second
+ Infected files: 36
+ Removed files: 36
+ Files put in quarantine: 36
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
G:\

+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002649.exe -> Spyware.BetterInternet.f -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002823.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002825.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002826.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002828.exe -> Spyware.BetterInternet.f -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002841.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002842.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002843.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002846.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002848.exe -> Spyware.BetterInternet.f -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002863.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002864.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002865.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002868.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00002887.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00006668.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00006673.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\RECYCLER\NPROTECT\00006682.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor.a -> Cleaned with backup
C:\WINDOWS\mm15201518.Stub.exe -> Spyware.EZula.ah -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\nqjibgxes.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\system32\avmzgks.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\baldsrx.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\bwhlavv.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\nyponq.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\oiddpgb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\pxptwp.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\ujmutd.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\ykxswdc.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__fnyjfx.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__gowftbb.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup


::Report End
  • 0

#15
don77
Posted 13 June 2005 - 08:10 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great job !!
One more issue to clean here,

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

System Startup Service

or

SvcProc

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

SvcProc
Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP