Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspected Loader X Module infection [RESOLVED]


  • This topic is locked This topic is locked

#1
dreadpiratedaz

dreadpiratedaz

    Member

  • Member
  • PipPip
  • 23 posts
I have been struggling with this persistent problem since the end of June. It isn't an emergency as I seemed to have resolved many of the issues through the good advice of this website already!(Many thanks!) It is my very inexperienced evaluation that I may have a loader X module infection.

System details: celeron 800 mhz, 128 ram, windows millenium

Here are some historical problems(some have been resolved, some haven't). Some of these symptoms may or may not be related but I include them so you have all the details to make an evaluation:

1) EXISTING PROBLEM - for a while now task scheduler has been unable to run and an error message shows at boot-up saying: "some tasks did not execute at their scheduled times because the task scheduler was not running. You can view the lists of missed tasks, and attempt to run them again from within the scheduled tasks folder."

2) EXISTING PROBLEM - at the same time when I manually run defrag it has to keep re-starting because it says a program is writing to the disk and the disk contents have changed. After a number of attempts defrag suggests running scandisk. When I run scandisk the same thing more or less happens, the disk contents change and it restarts. It hasn't completed scandisk or defrag in recent memory. I close down all possible programs through cntrl+alt+del and leave explorer running. I can't shut down system processes as I don't have XP. This even happens in safe mode. Once, a few weeks ago after the following set of problems(below) scandisk got as far as identifying a number of crosslinked files, the centre of which is a file I have been unable to remove because it is a LoaderX Module (this problem is described below). I tried to fix the cross-linked files but it re-started again after disk contents changed once more. TODAY - I managed to run scandisk in minimum reboot on a startup disk. I also managed to run defrag in safe mode! Hurrah! None of the programs spotted the errors I was expecting.

Here are perhaps a different set of problems:
3) HISTORICAL PROBLEM SOLVED BY ADAWARE & SPYBOT - I get unauthorised pop-ups all the time whether internet explorer is running or not. These pop-ups don't vary and often increase and become more frequent and annoying when I'm downloading a piece of anti-spy/anti-ad/anti-virus software.

4) HISTORICAL PROBLEM SOLVED BY ADAWARE & SPYBOT - when IE starts I get a supposed dialogue box with 'Warning' in the heading warning me that my computer is infected with spyware and adware directing me to sites with so-called virus protection that I have never heard of!.

5) HISTORICAL PROBLEM SOLVED BY ADAWARE & SPYBOT - in the bottom right hand corner of my screen (is it called 'system tray'?) together with all the other icons there is another icon inserted: a red circle with a white exclamation mark in it. If i right-click on this icon a bubble will pop up saying: "Your computer is infected! Click here to protect your computer from spyware/virus threat." When I double-click it IE starts and goes to PSGUARD.com, purporting to sell a personal security guardian.

6) HISTORICAL PROBLEM SOLVED BY ADAWARE & SPYBOT - I cannot change my home page: it resets to the default - "about:blank".

7) EXISTING PROBLEM I THINK - when I tried to download SpyDoctor 3.2 it was corrupted by a virus or a bad sector on my disk. I tried re-installing several times but all to no avail - the same problem resulted. Even today when scandisk ran successfully it spotted no disk errors!

8) HISTORICAL PROBLEM SOLVED BY MANUALLY CHANGING WALLPAPER - my wallpaper has changed to a blank blue screen with the following warning on it: 'Security Warning: a fatal error in IE has occurred at 0028:C0011E36 in VXD VMM(01) + 000/OE36. Error was caused by Trojan-Spy. html.smitfraud.c. System cannot function in normal mode. Please check your security settings. Scan your PC with any available antivirus/spyware remove'.

9) after downloading lavasoft's ad-aware and running it rundll32 has an error early in the scanning process. This has not repeated itself in the last month so I think it's gone away.

10) after running ad-aware several times it identified approximately 50 critical objects with varying levels of threat. When trying to remove these items(Alexa and CoolWebLinks: dataminer and malware) ad-aware's deleting bar remained on the screen for several hours - it could not delete all the files highlighted. The program hadn't stopped running but the computer did have to be re-booted. PRESENT PROBLEM: Adaware has now successfully, so it says, removed all critical objects with one stark exception, it cannot remove - no matter what:
C:\_restore\temp\A1787204.1 or .A (I also strongly suspect another file se.dll)
A text editor revealed this to have loaderX module notation/code at the bottom of the file. It cannot be manually deleted or stripped out internally with a text editor!!This file's former name is LoaderX Module and apparently runs on startup (this is also the file at the centre of the cross-linked file errors found by the aborted scandisk run). Therefore I could remove everything except this file.


11) I downloaded spybot but it took several attempts for the installation to be successful. The scan spybot did identified more objects but fundamentally it was Alexa and CoolWebLinks objects. Eventually with both Spybot and Ad-Aware I was able to remove all Alexa objects permanently, a few dodgy cookies and all CoolWebLinks - or so I thought! Spybot eventually congratulated me on having a clean scan (i didn't trust this as the same symptoms were still occurring)

12) I can't load Ewido as I have Windows Millenium

13) As soon as I tried to load Trend Housecall IE had to close because of a problem. I sent a report and now I can't get onto the website at all without IE totally closing down.

14) I have used the following tools regularly:
Trojan Hunter(resident shield off)
Spybot
Adaware
AVG Free(resident shield on)
CW Shredder
Cleanup
TDS-3

BUT

I still have the following symptoms:
a) IE is regularly having problems and closing down to restart again. There seems to be no pattern to this - it's just regular!
b) I have what I term 'breakouts' where AVG regularly(daily/every other day) detects numerous .dll files that are infected with viruses(sometimes I'm on the internet sometimes I'm not). AVG says it heals the files successfully. So everything has a lid on it. Nothing seems to be out of control but I have heard other forums(MSN) say that loaderX is almost intelligent and wants to elude and evade detection and destruction. Am I getting paranoid?
c) adaware still can't rid of the loaderX module file.

Anyway, here's my log file. If anyone can solve this problem for me I will give £10 to any British charity they want. Sound fair?

Logfile of HijackThis v1.99.1
Scan saved at 20:44:09, on 31/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.c...ndex_first.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

Thanks for your help.
dreadpiratedaz
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#3
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I followed your instructions as closely as I could. I downloaded all the tools you said I should. Appended to this message are all my log files including a new HiJack This log file.

Some differences to your description were:
1/ About:buster did not prompt to shut down IE. It didn't shut IE down at all and just went ahead and did a very quick scan.

CWShredder didn't find anything.

2/ When I ran SpSeHjfix it restarted the computer when I pressed 'disinfect'. I had to put it back into safe mode to run CleanUp.

3/ After Cleanup it said there were 1 or 2 files running that couldn't be deleted and therefore needed rebooting to delete them.

KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 01, 2005 20:54:43
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/09/2005
Kaspersky Anti-Virus database records: 146588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\WINDOWS\TEMP\

Scan Statistics:
Total number of scanned objects: 7458
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1677 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.


KASPERSKY ON-LINE SCANNER REPORT
Friday, September 02, 2005 07:47:22
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/09/2005
Kaspersky Anti-Virus database records: 146588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 45219
Number of viruses found: 7
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 11510 sec

Infected Object Name - Virus Name
c:\_RESTORE\TEMP\A1782897.CPY Infected: Trojan.Win32.StartPage.qr
c:\_RESTORE\TEMP\A1782902.CPY Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\A1782904.CPY Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\A1782912.CPY Infected: Trojan-Downloader.Win32.Small.amb
c:\_RESTORE\TEMP\BGLDJBAA.0 Infected: Trojan.Win32.StartPage.qr
c:\_RESTORE\TEMP\JIDE.0 Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\FFCE.0 Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\WININET.1 Infected: Virus.Win32.Nsag.a
c:\_RESTORE\TEMP\A1785352.CPY Infected: Trojan.Win32.StartPage.uz
c:\_RESTORE\TEMP\A1785353.CPY Infected: Trojan.Win32.StartPage.uz
c:\_RESTORE\TEMP\A1786219.CPY Infected: Trojan.Win32.StartPage.uz
c:\_RESTORE\TEMP\A1787204.0 Infected: not-a-virus:AdWare.WinAD.af
c:\_RESTORE\TEMP\SE.0 Infected: Trojan.Win32.StartPage.uz
c:\_RESTORE\TEMP\A1788087.CPY Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\A1788092.CPY Infected: Trojan.Win32.Agent.ff
c:\_RESTORE\TEMP\A1788131.CPY Infected: Trojan.Win32.StartPage.qr
c:\_RESTORE\TEMP\A1788692.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1789784.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1789907.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1792489.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1792735.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1792923.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1793905.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1794138.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1794226.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1794279.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1795350.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1795419.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1795467.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1797428.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1797517.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1797545.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1797591.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1798603.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1798627.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1798805.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1798839.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1799899.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1801095.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1801120.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1802204.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1804055.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1804057.CPY Infected: Trojan.Win32.StartPage.vr
c:\_RESTORE\TEMP\A1805090.CPY Infected: Trojan.Win32.StartPage.vr

Scan process completed.


KASPERSKY ON-LINE SCANNER REPORT
Friday, September 02, 2005 07:50:12
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/09/2005
Kaspersky Anti-Virus database records: 146588
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - A file:
C:\_RESTORE\TEMP\A1787204.0

Scan Statistics:
Total number of scanned objects: 1
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 11 sec

Infected Object Name - Virus Name
C:\_RESTORE\TEMP\A1787204.0 Infected: not-a-virus:AdWare.WinAD.af

Scan process completed.


(9/1/05 20:00:26) SPSeHjFix started v1.1.2
(9/1/05 20:00:26) OS: WinME (4.90.3000)
(9/1/05 20:00:26) Language: english
(9/1/05 20:00:26) Win-Path: C:\WINDOWS
(9/1/05 20:00:26) System-Path: C:\WINDOWS\SYSTEM
(9/1/05 20:00:26) Temp-Path: C:\WINDOWS\TEMP\
(9/1/05 20:00:50) Disinfection started
(9/1/05 20:00:50) Bad-Dll(IEP): c:\windows\temp\se.dll
(9/1/05 20:00:50) UBF: 4 - UBB: 1 - UBR: 32
(9/1/05 20:00:50) UBF: 4 - UBB: 1 - UBR: 32
(9/1/05 20:00:50) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(9/1/05 20:00:51) Stealth-String found: C:\WINDOWS\QTFOBT.FOR
(9/1/05 20:00:51) File added to delete: c:\windows\qtfobt.for
(9/1/05 20:00:51) Reboot
(9/1/05 20:02:09) SPSeHjFix 2nd Step
(9/1/05 20:02:09) Stealth-String not present. Disinfection succesfully
(9/1/05 20:02:27) Cleaned


Logfile of HijackThis v1.99.1
Scan saved at 12:50:03, on 02/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\LOTUS\WORDPRO\WORDPRO.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.c...ndex_first.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab


AboutBuster 5.0 reference file 31
Scan started on [01/09/2005] at [19:51:52]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:51:53


AboutBuster 5.0 reference file 31
Scan started on [01/09/2005] at [19:57:24]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:57:25

thanks for your help - I hope this is clear to you. It's not to me.
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

I think everything went very well so far.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items, then click FIX CHECKED:
===================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

===================================================

Close HiJackThis.


Delete the file - C:\WINDOWS\scanregw.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot back into Windows.

Post a fresh HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#5
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,

good to hear from you. I'm ready to go: I have PandaActive Scan on my desktop and Adaware installed BUT smitrem, when I doubleclicked it, gave me an error message - incorrect file size try to download file again, which I did, several times - all to no avail. ALSO, ewido security suite won't install on my system - I have Win Me not Win 2000 as you need for Ewido.

I have done nothing else so far. I won't until you let me know what to do about smitrem and ewido. Okay?

thanks
dreadpiratedaz
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
the download the extraction works fine for me.

Delete the file smitrem.exe which you already downloaded and the folder smitrem which may have been created.

Now proceed with the fix again, including downloading the file smitrem.exe.
  • 0

#7
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,

It all went smoothly but I can't run Ewido as i don't have Win 2000 but Win Me. However, when I ran Adaware it found a few critical objects. As per usual, it was able to remove all of them except one. i got the following message;

"Some objects could not be removed. Try closing all open browser windows prior to removal. If this does not help, reboot and run adaware again.

C:\_restore\temp\A1787204.0 (I knew this sucker would creep up again!!)

Do you want to let adaware remove them after the next reboot?"
I clicked 'yes' but, surprise surprise, Adaware was unable to remove the above file.

Anyroad, here's my smitlog, HJK log and Adaware log.

PS I also have another problem which I don't know if it's related to this: my HP printer keeps getting uninstalled(three times in the last month). This seems consistent with settings being changed without notice or permission. IE is still crashing as usual.


Logfile of HijackThis v1.99.1
Scan saved at 21:54:54, on 02/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP LASERJET 1010 SERIES\SETCONFIG.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.c...ndex_first.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab



smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~


wp.bmp


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! :tazz:



Ad-Aware SE Build 1.06r1
Logfile Created on:02 September 2005 20:56:18
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R61 10.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):2 total references
WindUpdates(TAC index:8):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R61 10.08.2005
Internal build : 71
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 508229 Bytes
Total size : 1531791 Bytes
Signature data size : 1498915 Bytes
Reference data size : 32364 Bytes
Signatures total : 42681
CSI Fingerprints total : 1003
CSI data size : 35408 Bytes
Target categories : 15
Target families : 729


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:43 %
Total physical memory:122304 kb
Available physical memory:16828 kb
Total page file size:1974844 kb
Available on page file:1891148 kb
Total virtual memory:2093056 kb
Available virtual memory:2042688 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


02-09-2005 20:56:18 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293856357
Threads : 8
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294953677
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [CMDNINST.EXE]
ModuleName : C:\WINDOWS\SYSTEM\CMDNINST.EXE
Command Line : C:\WINDOWS\SYSTEM\CMDNINST.EXE INIT
ProcessID : 4294957913
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Config Manager Device Installer Launcher
InternalName : CMDNINST
LegalCopyright : Copyright © Microsoft Corp. 1994
OriginalFilename : CMDNINST.EXE

#:4 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294863409
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:5 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294861053
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:6 [SSDPSRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SSDPSRV.EXE
Command Line : C:\WINDOWS\SYSTEM\ssdpsrv.exe
ProcessID : 4294848153
Threads : 4
Priority : Normal
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:7 [THOTKEY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\THOTKEY.EXE
Command Line : C:\WINDOWS\SYSTEM\THotkey.exe
ProcessID : 4294897325
Threads : 3
Priority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : TOSHIBA THotkey
CompanyName : TOSHIBA Corp.
FileDescription : THotkey
InternalName : THotkey
LegalCopyright : Copyright © 1999
OriginalFilename : THotkey.exe

#:8 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : C:\WINDOWS\SYSTEM\STIMON.EXE
ProcessID : 4294898861
Threads : 6
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:9 [RUNDLL32.EXE]
ModuleName : C:\WINDOWS\RUNDLL32.EXE
Command Line : n/a
ProcessID : 4294898473
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:10 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294880533
Threads : 4
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:11 [KB891711.EXE]
ModuleName : C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
Command Line : n/a
ProcessID : 4294871881
Threads : 1
Priority : Normal
FileVersion : 4.10.2223
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:12 [HPBPRO.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBPRO.EXE
Command Line : C:\WINDOWS\SYSTEM\hpbpro.exe
ProcessID : 4294869501
Threads : 1
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : PortResolver Module
CompanyName : Hewlett-Packard Company
FileDescription : PortResolver Module
InternalName : PortResolver
LegalCopyright : Copyright 2000
OriginalFilename : PortResolver.exe

#:13 [HPBOID.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBOID.EXE
Command Line : C:\WINDOWS\SYSTEM\hpboid.exe
ProcessID : 4294842005
Threads : 2
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : HP Status Server
CompanyName : Hewlett-Packard Company
FileDescription : HP Status Server Module
InternalName : HP Status Server
LegalCopyright : Copyright © 2000 by Hewlett-Packard Company
OriginalFilename : HPboid.EXE

#:14 [RUNONCE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RUNONCE.EXE
Command Line : C:\WINDOWS\SYSTEM\runonce.exe -m
ProcessID : 4292964809
Threads : 1
Priority : Normal
FileVersion : 3.3
ProductVersion : 3.2
ProductName : RunOnce
CompanyName : Microsoft Corporation
FileDescription : Run Once Wrapper
InternalName : RunOnce
LegalCopyright : Copyright © Microsoft Corp. 1990 - 1995
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation

#:15 [RPCSS.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RPCSS.EXE
Command Line : RPCSS
ProcessID : 4292944265
Threads : 6
Priority : Normal
FileVersion : 4.71.3328
ProductVersion : 4.71.3328
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:16 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE" "+b1"
ProcessID : 4292998805
Threads : 3
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:17 [WINMGMT.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
Command Line : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE -Embedding
ProcessID : 4293132021
Threads : 4
Priority : Normal
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:18 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293115149
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WindUpdates Object Recognized!
Type : File
Data : A1787204.1
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : LoaderX Module
FileDescription : LoaderX Module
InternalName : LoaderX
LegalCopyright : Copyright 2005
OriginalFilename : LoaderX.EXE


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 3




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

21:15:57 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:19:38.750
Objects scanned:105297
Objects identified:22
Objects ignored:21
New critical objects:0

Are we any closer yet?
thanks for your help Tampabelle
have a good weekend

Dreadpiratedaz
  • 0

#8
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
We will get that creep in System Restore in the last step.

Your HJT log looks fine.

Do you have any issues with your PC ???
  • 0

#9
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
As I said previously, my PC seems to be working and is usable though a little slow(I must remind myself it is a celeron 800!) I do have annoying/irritating symptoms like:

1/ IE keeps restarting when I open it up, its usually okay after one restart though

2/ I still have those little virus 'outbreaks', latest one was C:\windows\system\bff.dll which AVG said was a trojan horse startpage.19AN

3/ In the last couple of days I have had a couple of fatal exceptions that I didn't write down the details of, I just rebooted as I always do

4/ can only do diskdefrag in safe mode

5/ can only do scandisk in minimum boot with a boot disk

6/ my printer driver(twice in the last week) keeps uninstalling itself and 'disappearing'

7/ my pc is a laptop so when it completely hangs (a few times a week!) I have to unplug and disconnect the battery. I'm trying to remember when it hangs and it is often whenit is trying to shutdown programs.

Do I sound like I'm whinging?

Hey! Thanks for working weekends tampabelle!

dreadpiratedaz
  • 0

#10
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Again my apologies for such a late reply.

The file in your _Restore can be left as of now.

System restore is a feature, where by you can roll back the settings on your PC to earlier times. This is used when you have problems with your PC.

Unfortunately infections are also stored in the system restore and tend to be picked up by the virus scanners. This can be eliminated by wiping out the earlier system restore points and creating a fresh one, after the PC has been cleaned up.

In your case, since we have other issues I dont want to wipe out the earlier system restore points.

The good news is that the infections in the earlier system restore points dont effect your PC , unless you do a system restore to the point when the infection exists. In which case it becomes activated again and has to be tackled.

Coming to your current existing problems, I want you to do a scan disk.

Right click on "My Computer" on your desktop and then click on Properties ---> Tools ---> Check now.

In the window which pops up, check the boxes next to the following items -

Automatically fix file system errors
Scan for and attempt recovery of bad sectors


The scan disk would take a lot of time. So you can probably start it before you go to bed and leave the PC on overnight.

Try defragmenting the disk after the scan disk is completed. While it is preferable to run defrag in Safe Mode, try running it in Normal mode in your case.

Let me know how it goes.
  • 0

Advertisements


#11
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,

couldn't run scandisk in normal or safe mode. I had to run it from root directory while the laptop was in minimum mode after being booted on a startup disk. It found no errors.

I ran defrag in safe mode. It can't run in normal mode.

I am still getting the regular outbreaks of viruses from windows system directory (dll files) and my HP laserjet software keeps getting uninstalled every week of so.

I hope this is of some help.

Thanks
dreadpiratedaz
  • 0

#12
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Where are you getting the reports of the "outbreak of viruses"??

Can you post any logs ???
  • 0

#13
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Very regularly, once or twice a week through AVG. They are always located in windows/system and are dll files. It often happens when I try to start IE or attempt to do something similar like start a new program. I can collect the file names if you like over the next week or so. AVG seems to think they are startpage trojan horses, 'an19' seems to be in the file name somewhere. I can't remember - I haven't written it down.

thanks
Dreadpiratedaz
  • 0

#14
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Logfile of HijackThis v1.99.1
Scan saved at 15:35:25, on 30/09/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.c...ndex_first.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
  • 0

#15
dreadpiratedaz

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Ad-Aware SE Build 1.06r1
Logfile Created on:30 September 2005 15:38:13
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R68 28.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
Tracking Cookie(TAC index:3):8 total references
Win32.Trojan.StartPage(TAC index:8):37 total references
WindUpdates(TAC index:8):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R61 10.08.2005
Internal build : 71
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 508229 Bytes
Total size : 1531791 Bytes
Signature data size : 1498915 Bytes
Reference data size : 32364 Bytes
Signatures total : 42681
CSI Fingerprints total : 1003
CSI data size : 35408 Bytes
Target categories : 15
Target families : 729

30-09-2005 15:37:48 Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R68 28.09.2005
Internal build : 80
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 526954 Bytes
Total size : 1581029 Bytes
Signature data size : 1547745 Bytes
Reference data size : 32772 Bytes
Signatures total : 43961
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 753


30-09-2005 15:38:01 Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:0 %
Total physical memory:122304 kb
Available physical memory:4176 kb
Total page file size:1974844 kb
Available on page file:1705064 kb
Total virtual memory:2093056 kb
Available virtual memory:2041024 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


30-09-2005 15:38:13 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293858017
Threads : 8
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294956105
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294866101
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294868601
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [SSDPSRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SSDPSRV.EXE
Command Line : C:\WINDOWS\SYSTEM\ssdpsrv.exe
ProcessID : 4294848697
Threads : 7
Priority : Normal
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:6 [THOTKEY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\THOTKEY.EXE
Command Line : C:\WINDOWS\SYSTEM\THotkey.exe
ProcessID : 4294848441
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : TOSHIBA THotkey
CompanyName : TOSHIBA Corp.
FileDescription : THotkey
InternalName : THotkey
LegalCopyright : Copyright © 1999
OriginalFilename : THotkey.exe

#:7 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : C:\WINDOWS\SYSTEM\STIMON.EXE
ProcessID : 4294899493
Threads : 6
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:8 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294883893
Threads : 4
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:9 [KB891711.EXE]
ModuleName : C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
Command Line : n/a
ProcessID : 4294876933
Threads : 1
Priority : Normal
FileVersion : 4.10.2223
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:10 [HPBPRO.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBPRO.EXE
Command Line : C:\WINDOWS\SYSTEM\hpbpro.exe
ProcessID : 4294869097
Threads : 1
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : PortResolver Module
CompanyName : Hewlett-Packard Company
FileDescription : PortResolver Module
InternalName : PortResolver
LegalCopyright : Copyright 2000
OriginalFilename : PortResolver.exe

#:11 [HPBOID.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBOID.EXE
Command Line : C:\WINDOWS\SYSTEM\hpboid.exe
ProcessID : 4292965125
Threads : 1
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : HP Status Server
CompanyName : Hewlett-Packard Company
FileDescription : HP Status Server Module
InternalName : HP Status Server
LegalCopyright : Copyright © 2000 by Hewlett-Packard Company
OriginalFilename : HPboid.EXE

#:12 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4292963841
Threads : 27
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:13 [RPCSS.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RPCSS.EXE
Command Line : RPCSS
ProcessID : 4292999869
Threads : 6
Priority : Normal
FileVersion : 4.71.3328
ProductVersion : 4.71.3328
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:14 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\WINDOWS\taskmon.exe"
ProcessID : 4292897705
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:15 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4292914817
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:16 [IRMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\IRMON.EXE
Command Line : "C:\WINDOWS\SYSTEM\irmon.exe"
ProcessID : 4293091973
Threads : 7
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Infrared Monitor
InternalName : irmon.dll
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : irmon.dll

#:17 [ALISNDMG.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ALISNDMG.EXE
Command Line : "C:\WINDOWS\SYSTEM\ALiSndMg.exe"
ProcessID : 4293085433
Threads : 2
Priority : Normal
FileVersion : 1.01
ProductVersion : 1.01
ProductName : ALiSndMgr
CompanyName : ALi Laboratories Inc.
FileDescription : ALiSndMgr
InternalName : ALiSndMgr
LegalCopyright : Copyright © 2000
OriginalFilename : ALiSndMgr.exe

#:18 [EM_EXEC.EXE]
ModuleName : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
Command Line : "C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
ProcessID : 4293095517
Threads : 3
Priority : Normal
FileVersion : 9.11.62
ProductVersion : 9.11
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-2000.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team

#:19 [TPWRTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\TPWRTRAY.EXE"
ProcessID : 4292923445
Threads : 2
Priority : Normal
FileVersion : 4. 0. 0. 0
ProductVersion : 4. 0. 0. 0
ProductName : Toshiba Power Saver
CompanyName : TOSHIBA Corporation
FileDescription : Toshiba Power Saver
InternalName : Tpwrtray
LegalCopyright : Copyright 1999-2001 Toshiba Corporation.
OriginalFilename : Tpwrtray.exe
Comments : Toshiba Power Saver

#:20 [TFNCKY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TFNCKY.EXE
Command Line : "C:\WINDOWS\SYSTEM\TFncKy.exe"
ProcessID : 4293126901
Threads : 2
Priority : Normal
FileVersion : 1.21
ProductVersion : 1.21
ProductName : TFncKy
CompanyName : Toshiba Corporation
FileDescription : TFncKy
InternalName : TFncKy
LegalCopyright : Copyright 1997-2000 Toshiba Corporation. All rights reserved.
OriginalFilename : TFncKy.EXE

#:21 [DCFSSVC.EXE]
ModuleName : C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
Command Line : "C:\WINDOWS\System32\Drivers\dcfssvc.exe"
ProcessID : 4293109737
Threads : 3
Priority : Normal
FileVersion : 1.1.4400.0
ProductVersion : 3.2.0400.0
ProductName : Kodak DC File System Driver (Win32)
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : DcFsSvc.exe
LegalCopyright : Copyright © Eastman Kodak Co. 2000-2002
OriginalFilename : DcFsSvc.exe

#:22 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_ffe0acd5
ProcessID : 4293103933
Threads : 4
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:23 [AVGCC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE" /STARTUP
ProcessID : 4293005417
Threads : 6
Priority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:24 [AVGEMC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE"
ProcessID : 4293049717
Threads : 7
Priority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:25 [AVGAMSVR.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE"
ProcessID : 4293041349
Threads : 8
Priority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:26 [STATUSCLIENT.EXE]
ModuleName : C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
Command Line : "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
ProcessID : 4293217117
Threads : 4
Priority : Normal
FileVersion : 00.00.13
ProductVersion : 00.00.13
ProductName : Hewlett-Packard T-TR Status Client
CompanyName : Hewlett-Packard
FileDescription : Hewlett-Packard T-TR Status Client
InternalName : StatusClient.exe
LegalCopyright : Copyright © 2002 Hewlett-Packard Company
LegalTrademarks : All Rights Reserved.
OriginalFilename : StatusClient.exe

#:27 [RunDLL.exe]
ModuleName : C:\WINDOWS\RunDLL.exe
Command Line : n/a
ProcessID : 4293256189
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:28 [AIRPLUS.EXE]
ModuleName : C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
Command Line : "C:\Program Files\D-Link AirPlus\AirPlus.exe"
ProcessID : 4293158013
Threads : 2
Priority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : D-Link AirPlus
CompanyName : D-Link
FileDescription : WLAN Adapter Utility
InternalName : WLANMON
LegalCopyright : Copyright © All Rights Reserved.
OriginalFilename : AIRPLUS.EXE

#:29 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293024957
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:30 [JAVAW.EXE]
ModuleName : C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
Command Line : "C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe" -jar -Duser.dir="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0" "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\bin\bootstrap.jar" start
ProcessID : 4293244185
Threads : 24
Priority : Normal


#:31 [WUAUCLT.EXE]
ModuleName : C:\WINDOWS\WUAUCLT.EXE
Command Line : -AUMagic
ProcessID : 4293368305
Threads : 4
Priority : Idle
FileVersion : 5.4.5681.0
ProductVersion : 5.4.5681.0
ProductName : Microsoft Windows Update - AutoUpdate feature
CompanyName : Microsoft Corporation
FileDescription : Microsoft AutoUpdate
InternalName : WUAUCLT.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WUAUCLT.EXE

#:32 [IEXPLORE.EXE]
ModuleName : C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
Command Line : "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
ProcessID : 4293276165
Threads : 10
Priority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:33 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4293471941
Threads : 6
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft® DirectX for Windows®
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:34 [WINMGMT.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
Command Line : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE -Embedding
ProcessID : 4293399721
Threads : 4
Priority : Normal
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:35 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293442057
Threads : 3
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:[email protected]/
Expires : 01-01-2021 00:59:58
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@247realmedia[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 01-01-2011 00:59:58
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:18
Value : Cookie:[email protected]/
Expires : 06-09-2010 17:28:00
LastSync : Hits:18
UseCount : 0
Hits : 18

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@serving-sys[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:73
Value : Cookie:[email protected]/
Expires : 31-12-2037 23:00:00
LastSync : Hits:73
UseCount : 0
Hits : 73

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@bravenet[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:[email protected]/
Expires : 13-09-2015 21:45:24
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@questionmarket[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 19-11-2006 11:13:00
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : [email protected][1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:[email protected]/
Expires : 04-09-2006 18:29:26
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : default@tripod[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:[email protected]/
Expires : 15-09-2006 21:45:14
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WindUpdates Object Recognized!
Type : File
Data : A1787204.0
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : LoaderX Module
FileDescription : LoaderX Module
InternalName : LoaderX
LegalCopyright : Copyright 2005
OriginalFilename : LoaderX.EXE


Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1788692.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1789784.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1789907.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1792489.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1792735.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1792923.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1793905.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1794138.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1794226.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1794279.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1795350.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1795419.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1795467.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1797428.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1797517.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1797545.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1797591.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1798603.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1798627.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1798805.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1798839.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1799899.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1801095.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1801120.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1802204.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1804055.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1804057.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1805090.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1807837.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1807846.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1810275.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1810711.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1810751.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1810786.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1811181.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1812294.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A1812338.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 49




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49

15:53:07 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:14:54.410
Objects scanned:113158
Objects identified:68
Objects ignored:22
New critical objects:46
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP