Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Umonitor/VX2/Guard

Started by notman , Dec 26 2004 05:56 PM

  • Please log in to reply

#1
notman
Posted 26 December 2004 - 05:56 PM

notman

    Member

  • Member
  • PipPip
  • 11 posts
Not sure what we're calling this latest threat, but it seems to be the same one others are having problems with. Tried cleaning with Ad Aware, tried manual cleaning using some of the advice I've seen here and elsewhere, with no luck, finally turning to the experts. Posting this from another computer, but here is the HJT log. Thanks for any help or assistance.

Logfile of HijackThis v1.98.2
Scan saved at 2:18:48 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINNT\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygphug.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\mrtMngr.EXE
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.95.104.56:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINNT\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINNT\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINNT\Java\ControlF1\STMeeting25.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.c...enplug60910.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.lib.washi...s/cds/msrdp.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A682A5C-883F-48C5-BDF3-8C38B34DFA76}: NameServer = 192.192.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9806F3B-3513-4670-8910-F5631AC8A632}: NameServer = 192.192.192.1
  • 0

Advertisements

#2
criticman
Posted 26 December 2004 - 06:36 PM

criticman

    Member

  • Member
  • PipPip
  • 37 posts
Ad Aware doesn't seem to give a crap about whether their product works anymore. I downloaded their touted VX2 add-on, and it does literally NOTHING. Every time I use it, it says "System clean", which is, of cousre, ridiculous. If you run Ad Aware when you go offline, quarantine the results and delete them, then immediately run it again, you get just as many hits, if not more. Same thing happens when you reboot then try it again. All without going online again. I've emailed them about these problems, their reaction was - "We offer no support to users of the free software."
What's the point, then?
It rumbles, looks good, seems to give results, but you can't depend on them. I'm not being overcritical, either. I realize that there are ever-changing varaitions that the enemy is tossing out there constantly in an effort to do -what? take over the frigging world? It all makes little sense to me.
But Ad Aware takes months to update their product, it works a little better for maybe a week, then it's back to the same old gestalt.
To be fair, on one evening when I was on AOL for 45 minutes, they found a whopping 467 new threats hanging out on my computer, and got rid of the great bulk of them. Usually, however, they are wanting, and they're not alone. These days, I spend 15 minutes online and 40 minutes cleaning up after the visit. I need something better than a dog and pony show.
  • 0

#3
notman
Posted 26 December 2004 - 06:54 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I can't disagree with anything you said. I had been relying on generally safe surfing practices and regular Ad Aware sweeps to keep my machine clean, but when confronted with something new, it seems like they aren't much help.
  • 0

#4
criticman
Posted 26 December 2004 - 07:28 PM

criticman

    Member

  • Member
  • PipPip
  • 37 posts

I can't disagree with anything you said.  I had been relying on generally safe surfing practices and regular Ad Aware sweeps to keep my machine clean, but when confronted with something new, it seems like they aren't much help.

View Post

In the past 6 months, 'safe surfing practices' have become extinct. I, myself use about 4 different programs, and each finds something else. Plus, because I'm fairly familiar with my system after all this time, I go in and prune what can be pruned, by hand. Then, I use Regedit to find the suspicious and dump it.
Much of it can't be removed, which absolutely incenses me. Or, you get rid of them, then they come right back, anyway.
It's like what used to be said of burglars: if they want to rob your stuff, they're going to rob your stuff.
At this point I've just downloaded and tried Spyware Blaster.
Initially (earlier today), I was greatly impressed by it's pyrotechnics. It really looks great. But when push came to shove, and I scanned with Ad Aware afterwards; that's right, the same old Ad Aware I just berated, it came up with the exact same amount of hits it usually does.
So what am I to think?
The real problem is that we need a program that accepts input. You find something dirty, you plug the results into it and if it ever spots it again, it flushes it.
But there isn't anything like that, so I continue to use XoftSpy, Ad Aware, Spyware Blaster, AVG and AOL's free McAfee plugin, which takes maybe 90 minutes to do a scan (while online), and is completely worthless. These cretins can put stuff on my system faster than McAfee can find it.
It gets so you think you're losing your mind over this.
I do all that because this latest round of internet garbage has done real damage to my computer. I've formatted and reinstalled Windows 2000 TWICE in the past 4 months, and I'm not going overboard.
At one point, something some [bleep] threw up on me caused my AOL program to stop functioning entirely.
I regular get harangued with these UMonitor error messages (which also drive me crazy) and my browser keeps getting hijacked by Ebloc and Ad Aware, even though I have changed browsers (IE is OUT) and ran Sun Java to replace Microsoft's Java Machine.
So do everything you can, anything you can, because our legislature is dragging it's feet on putting these criminals out of business, as they should, and it's likely to get worse before it gets any better.
  • 0

#5
coachwife6
Posted 26 December 2004 - 08:48 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
notman. Welcome to GTG. :tazz:

Click Here download the latest version of Hijack This (1.99). It's better able to catch the latest threats.
  • 0

#6
notman
Posted 26 December 2004 - 09:22 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

notman. Welcome to GTG.  :tazz:

Click Here download the latest version of Hijack This (1.99). It's better able to catch the latest threats.

View Post


Okay, tried that, and now I get an error during before a scan completes and HJT closes. Tried uninstalling, reinstalling etc and something is blocking HJT from working
  • 0

#7
coachwife6
Posted 26 December 2004 - 09:41 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://192.168.1.1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.95.104.56:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

Let's get rid of all these. They can be downloaded the next time you visit that website with little pain.

O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINNT\Java\ControlF1\STMeeting25.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.c...enplug60910.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.lib.washi...s/cds/msrdp.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15008/CTPID.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files (if found):


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygphug.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.
  • 0

#8
notman
Posted 26 December 2004 - 11:33 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
okay this is the Ad Aware log. I don't know if anyone else has noticed this, but when you click the button to delete files in Ad Aware, the computer acts like its opening a new window or something (tool bars briefly pop out, screen flickers, etc)


Ad-Aware SE Build 1.05
Logfile Created on:Sunday, December 26, 2004 8:51:17 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R23 16.12.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):13 total references
MRU List(TAC index:0):18 total references
VX2(TAC index:10):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R23 16.12.2004
Internal build : 28
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 418765 Bytes
Total size : 1325342 Bytes
Signature data size : 1295582 Bytes
Reference data size : 29248 Bytes
Signatures total : 36831
Fingerprints total : 624
Fingerprints size : 23478 Bytes
Target categories : 15
Target families : 634


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:67 %
Total physical memory:1047348 kb
Available physical memory:695244 kb
Total page file size:1733808 kb
Available on page file:1469656 kb
Total virtual memory:2097024 kb
Available virtual memory:2041732 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Create log file for removal operations
Set : Include module list in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-26-2004 8:51:17 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 628
ThreadCreationTime : 12-27-2004 4:47:55 AM
BasePriority : Normal

Scanning Module:\SystemRoot\System32\smss.exe...
Scanning Module:C:\WINNT\system32\ntdll.dll...

#:2 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : n/a
ProcessID : 728
ThreadCreationTime : 12-27-2004 4:48:00 AM
BasePriority : High

Scanning Module:\??\C:\WINNT\system32\winlogon.exe...
Scanning Module:C:\WINNT\system32\kernel32.dll...
Scanning Module:C:\WINNT\system32\ADVAPI32.dll...
Scanning Module:C:\WINNT\system32\RPCRT4.dll...
Scanning Module:C:\WINNT\system32\AUTHZ.dll...
Scanning Module:C:\WINNT\system32\msvcrt.dll...
Scanning Module:C:\WINNT\system32\CRYPT32.dll...
Scanning Module:C:\WINNT\system32\USER32.dll...
Scanning Module:C:\WINNT\system32\GDI32.dll...
Scanning Module:C:\WINNT\system32\MSASN1.dll...
Scanning Module:C:\WINNT\system32\NDdeApi.dll...
Scanning Module:C:\WINNT\system32\PROFMAP.dll...
Scanning Module:C:\WINNT\system32\NETAPI32.dll...
Scanning Module:C:\WINNT\system32\USERENV.dll...
Scanning Module:C:\WINNT\system32\PSAPI.DLL...
Scanning Module:C:\WINNT\system32\REGAPI.dll...
Scanning Module:C:\WINNT\system32\Secur32.dll...
Scanning Module:C:\WINNT\system32\SETUPAPI.dll...
Scanning Module:C:\WINNT\system32\VERSION.dll...
Scanning Module:C:\WINNT\system32\WINSTA.dll...
Scanning Module:C:\WINNT\system32\WINTRUST.dll...
Scanning Module:C:\WINNT\system32\IMAGEHLP.dll...
Scanning Module:C:\WINNT\system32\WS2_32.dll...
Scanning Module:C:\WINNT\system32\WS2HELP.dll...
Scanning Module:C:\WINNT\system32\MSGINA.dll...
Scanning Module:C:\WINNT\system32\SHELL32.dll...
Scanning Module:C:\WINNT\system32\SHLWAPI.dll...
Scanning Module:C:\WINNT\system32\COMCTL32.dll...
Scanning Module:C:\WINNT\system32\ODBC32.dll...
Scanning Module:C:\WINNT\system32\comdlg32.dll...
Scanning Module:C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll...
Scanning Module:C:\WINNT\system32\odbcint.dll...
Scanning Module:C:\WINNT\system32\SHSVCS.dll...
Scanning Module:C:\WINNT\system32\sfc.dll...
Scanning Module:C:\WINNT\system32\sfc_os.dll...
Scanning Module:C:\WINNT\system32\ole32.dll...
Scanning Module:C:\WINNT\system32\Apphelp.dll...
Scanning Module:C:\WINNT\system32\WINSCARD.DLL...
Scanning Module:C:\WINNT\system32\WTSAPI32.dll...
Scanning Module:C:\WINNT\system32\sxs.dll...
Scanning Module:C:\WINNT\system32\uxtheme.dll...
Scanning Module:C:\WINNT\system32\WINMM.dll...
Scanning Module:C:\WINNT\system32\serwvdrv.dll...
Scanning Module:C:\WINNT\system32\umdmxfrm.dll...
Scanning Module:C:\WINNT\system32\cscdll.dll...
Scanning Module:C:\WINNT\system32\WlNotify.dll...
Scanning Module:C:\WINNT\system32\WINSPOOL.DRV...
Scanning Module:C:\WINNT\system32\MPR.dll...
Scanning Module:C:\WINNT\system32\rsaenh.dll...
Scanning Module:C:\WINNT\system32\SAMLIB.dll...
Scanning Module:C:\WINNT\system32\msv1_0.dll...
Scanning Module:C:\WINNT\system32\iphlpapi.dll...
Scanning Module:C:\WINNT\system32\cscui.dll...
Scanning Module:C:\WINNT\system32\h4n00e5meh.dll...

VX2 Object Recognized!
Type : Process
Data : h4n00e5meh.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! VX2 Object found in memory(C:\WINNT\system32\h4n00e5meh.dll)

Scanning Module:C:\WINNT\system32\OLEAUT32.dll...
Scanning Module:C:\WINNT\system32\oledlg.dll...
Scanning Module:C:\WINNT\system32\urlmon.dll...
Scanning Module:C:\WINNT\system32\WININET.dll...
Scanning Module:C:\WINNT\system32\wldap32.dll...
Scanning Module:C:\WINNT\system32\RASAPI32.DLL...
Scanning Module:C:\WINNT\system32\rasman.dll...
Scanning Module:C:\WINNT\system32\TAPI32.dll...
Scanning Module:C:\WINNT\system32\rtutils.dll...
Scanning Module:C:\WINNT\system32\xpsp2res.dll...
Scanning Module:C:\WINNT\System32\drprov.dll...
Scanning Module:C:\WINNT\System32\ntlanman.dll...
Scanning Module:C:\WINNT\System32\NETUI0.dll...
Scanning Module:C:\WINNT\System32\NETUI1.dll...
Scanning Module:C:\WINNT\System32\NETRAP.dll...
Scanning Module:C:\WINNT\System32\davclnt.dll...
Scanning Module:C:\WINNT\system32\MPRUI.dll...
Scanning Module:C:\WINNT\system32\NETUI2.dll...
Scanning Module:C:\WINNT\system32\netmsg.dll...
Scanning Module:C:\WINNT\system32\wdmaud.drv...
Scanning Module:C:\WINNT\system32\msacm32.drv...
Scanning Module:C:\WINNT\system32\MSACM32.dll...
Scanning Module:C:\WINNT\system32\midimap.dll...
Scanning Module:C:\WINNT\system32\COMRes.dll...
Scanning Module:C:\WINNT\system32\CLBCATQ.DLL...
Scanning Module:C:\WINNT\system32\NTMARTA.DLL...
Scanning Module:C:\WINNT\system32\sensapi.dll...

#:3 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : n/a
ProcessID : 772
ThreadCreationTime : 12-27-2004 4:48:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
Scanning Module:C:\WINNT\system32\services.exe...
Scanning Module:C:\WINNT\system32\SCESRV.dll...
Scanning Module:C:\WINNT\system32\umpnpmgr.dll...
Scanning Module:C:\WINNT\system32\NCObjAPI.DLL...
Scanning Module:C:\WINNT\system32\MSVCP60.dll...
Scanning Module:C:\WINNT\system32\ShimEng.dll...
Scanning Module:C:\WINNT\AppPatch\AcGenral.DLL...
Scanning Module:C:\WINNT\system32\eventlog.dll...

#:4 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : n/a
ProcessID : 784
ThreadCreationTime : 12-27-2004 4:48:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Scanning Module:C:\WINNT\system32\lsass.exe...
Scanning Module:C:\WINNT\system32\LSASRV.dll...
Scanning Module:C:\WINNT\system32\NTDSAPI.dll...
Scanning Module:C:\WINNT\system32\DNSAPI.dll...
Scanning Module:C:\WINNT\system32\SAMSRV.dll...
Scanning Module:C:\WINNT\system32\cryptdll.dll...
Scanning Module:C:\WINNT\system32\msprivs.dll...
Scanning Module:C:\WINNT\system32\kerberos.dll...
Scanning Module:C:\WINNT\system32\netlogon.dll...
Scanning Module:C:\WINNT\system32\w32time.dll...
Scanning Module:C:\WINNT\system32\schannel.dll...
Scanning Module:C:\WINNT\system32\wdigest.dll...
Scanning Module:C:\WINNT\system32\scecli.dll...
Scanning Module:C:\WINNT\system32\ipsecsvc.dll...
Scanning Module:C:\WINNT\system32\oakley.DLL...
Scanning Module:C:\WINNT\system32\WINIPSEC.DLL...
Scanning Module:C:\WINNT\system32\mswsock.dll...
Scanning Module:C:\WINNT\system32\hnetcfg.dll...
Scanning Module:C:\WINNT\System32\wshtcpip.dll...
Scanning Module:C:\WINNT\system32\dssenh.dll...
Scanning Module:C:\WINNT\system32\pstorsvc.dll...
Scanning Module:C:\WINNT\system32\psbase.dll...

#:5 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : n/a
ProcessID : 932
ThreadCreationTime : 12-27-2004 4:48:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:C:\WINNT\system32\svchost.exe...
Scanning Module:c:\winnt\system32\rpcss.dll...
Scanning Module:C:\WINNT\system32\msi.dll...
Scanning Module:c:\winnt\system32\termsrv.dll...
Scanning Module:c:\winnt\system32\ICAAPI.dll...
Scanning Module:c:\winnt\system32\mstlsapi.dll...
Scanning Module:c:\winnt\system32\ACTIVEDS.dll...
Scanning Module:c:\winnt\system32\adsldpc.dll...
Scanning Module:c:\winnt\system32\ATL.DLL...

#:6 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : n/a
ProcessID : 1032
ThreadCreationTime : 12-27-2004 4:48:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\winnt\system32\dhcpcsvc.dll...
Scanning Module:c:\winnt\system32\wzcsvc.dll...
Scanning Module:c:\winnt\system32\WMI.dll...
Scanning Module:c:\winnt\system32\ESENT.dll...
Scanning Module:C:\WINNT\System32\rastls.dll...
Scanning Module:C:\WINNT\system32\CRYPTUI.dll...
Scanning Module:C:\WINNT\System32\MPRAPI.dll...
Scanning Module:C:\WINNT\System32\raschap.dll...
Scanning Module:c:\winnt\system32\schedsvc.dll...
Scanning Module:C:\WINNT\System32\MSIDLE.DLL...
Scanning Module:c:\winnt\system32\audiosrv.dll...
Scanning Module:c:\winnt\system32\wkssvc.dll...
Scanning Module:c:\winnt\system32\cryptsvc.dll...
Scanning Module:c:\winnt\system32\certcli.dll...
Scanning Module:c:\winnt\system32\dmserver.dll...
Scanning Module:c:\winnt\system32\ersvc.dll...
Scanning Module:c:\winnt\system32\es.dll...
Scanning Module:c:\winnt\pchealth\helpctr\binaries\pchsvc.dll...
Scanning Module:c:\winnt\system32\hidserv.dll...
Scanning Module:c:\winnt\system32\HID.DLL...
Scanning Module:c:\winnt\system32\srvsvc.dll...
Scanning Module:c:\winnt\system32\netman.dll...
Scanning Module:c:\winnt\system32\netshell.dll...
Scanning Module:c:\winnt\system32\credui.dll...
Scanning Module:c:\winnt\system32\WZCSAPI.DLL...
Scanning Module:c:\winnt\system32\seclogon.dll...
Scanning Module:c:\winnt\system32\sens.dll...
Scanning Module:c:\winnt\system32\srsvc.dll...
Scanning Module:c:\winnt\system32\POWRPROF.dll...
Scanning Module:c:\winnt\system32\trkwks.dll...
Scanning Module:c:\winnt\system32\wbem\wmisvc.dll...
Scanning Module:C:\WINNT\system32\VSSAPI.DLL...
Scanning Module:c:\winnt\system32\wuauserv.dll...
Scanning Module:C:\WINNT\system32\wuaueng.dll...
Scanning Module:C:\WINNT\System32\ADVPACK.dll...
Scanning Module:C:\WINNT\System32\SHFOLDER.dll...
Scanning Module:C:\WINNT\System32\WINHTTP.dll...
Scanning Module:C:\WINNT\System32\Cabinet.dll...
Scanning Module:C:\WINNT\System32\mspatcha.dll...
Scanning Module:c:\winnt\system32\browser.dll...
Scanning Module:C:\WINNT\system32\comsvcs.dll...
Scanning Module:C:\WINNT\system32\MTXCLU.DLL...
Scanning Module:C:\WINNT\system32\WSOCK32.dll...
Scanning Module:C:\WINNT\system32\colbact.DLL...
Scanning Module:C:\WINNT\System32\CLUSAPI.DLL...
Scanning Module:C:\WINNT\System32\RESUTILS.DLL...
Scanning Module:c:\winnt\system32\ipnathlp.dll...
Scanning Module:c:\winnt\system32\wscsvc.dll...
Scanning Module:C:\WINNT\System32\wbem\wbemcomn.dll...
Scanning Module:C:\WINNT\system32\WBEM\wbemcore.dll...
Scanning Module:C:\WINNT\system32\WBEM\esscli.dll...
Scanning Module:C:\WINNT\system32\WBEM\FastProx.dll...
Scanning Module:C:\WINNT\System32\wbem\wbemsvc.dll...
Scanning Module:C:\WINNT\System32\wbem\wmiutils.dll...
Scanning Module:C:\WINNT\System32\wbem\repdrvfs.dll...
Scanning Module:C:\WINNT\System32\wbem\wmiprvsd.dll...
Scanning Module:C:\WINNT\System32\wbem\wbemess.dll...
Scanning Module:C:\WINNT\System32\wbem\ncprov.dll...
Scanning Module:C:\WINNT\System32\upnp.dll...
Scanning Module:C:\WINNT\System32\SSDPAPI.dll...
Scanning Module:C:\WINNT\System32\RASDLG.dll...
Scanning Module:C:\WINNT\System32\NetCfgx.dll...
Scanning Module:C:\WINNT\System32\rasmans.dll...
Scanning Module:c:\winnt\system32\tapisrv.dll...
Scanning Module:C:\WINNT\System32\rasadhlp.dll...
Scanning Module:C:\WINNT\System32\rastapi.dll...
Scanning Module:C:\WINNT\System32\unimdm.tsp...
Scanning Module:C:\WINNT\System32\uniplat.dll...
Scanning Module:C:\WINNT\System32\unimdmat.dll...
Scanning Module:C:\WINNT\system32\modemui.dll...
Scanning Module:C:\WINNT\System32\kmddsp.tsp...
Scanning Module:C:\WINNT\System32\ndptsp.tsp...
Scanning Module:C:\WINNT\System32\ipconf.tsp...
Scanning Module:C:\WINNT\System32\h323.tsp...
Scanning Module:C:\WINNT\System32\hidphone.tsp...
Scanning Module:C:\WINNT\System32\rasppp.dll...
Scanning Module:C:\WINNT\System32\ntlsapi.dll...
Scanning Module:C:\WINNT\System32\ipxwan.dll...
Scanning Module:C:\WINNT\System32\adptif.dll...
Scanning Module:C:\WINNT\System32\wups.dll...

#:7 [brsvc01a.exe]
ModuleName : C:\WINNT\System32\brsvc01a.exe
Command Line : n/a
ProcessID : 1384
ThreadCreationTime : 12-27-2004 4:48:01 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : brother Industries Ltd brsvc01a
CompanyName : brother Industries Ltd
FileDescription : brsvc01a
InternalName : brsvc01a
LegalCopyright : Copyright © Brother Industries, Ltd 2001
OriginalFilename : brsvc01a.exe
Scanning Module:C:\WINNT\System32\brsvc01a.exe...

#:8 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : n/a
ProcessID : 1400
ThreadCreationTime : 12-27-2004 4:48:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Scanning Module:C:\WINNT\system32\spoolsv.exe...
Scanning Module:C:\WINNT\system32\SPOOLSS.DLL...
Scanning Module:C:\WINNT\system32\localspl.dll...
Scanning Module:C:\WINNT\system32\AdobePDF.dll...
Scanning Module:C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\adistres.dll...
Scanning Module:C:\WINNT\system32\cnbjmon.dll...
Scanning Module:C:\WINNT\system32\Eplpmx02.DLL...
Scanning Module:C:\WINNT\system32\Eplplx02.dll...
Scanning Module:C:\WINNT\system32\EBPMON3.DLL...
Scanning Module:C:\WINNT\system32\pjlmon.dll...
Scanning Module:C:\WINNT\system32\tcpmon.dll...
Scanning Module:C:\WINNT\system32\usbmon.dll...
Scanning Module:C:\WINNT\System32\spool\PRTPROCS\W32X86\BRPP2KA.DLL...
Scanning Module:C:\WINNT\System32\winrnr.dll...
Scanning Module:C:\WINNT\system32\win32spl.dll...
Scanning Module:C:\WINNT\system32\inetpp.dll...

#:9 [brss01a.exe]
ModuleName : C:\WINNT\System32\brss01a.exe
Command Line : n/a
ProcessID : 1412
ThreadCreationTime : 12-27-2004 4:48:01 AM
BasePriority : Normal
FileVersion : 1.004
ProductVersion : 1, 0, 0, 4
ProductName : brother Industries Ltd brss01a.exe
CompanyName : brother Industries Ltd
FileDescription : brss01a.exe
InternalName : brss01a.exe
LegalCopyright : Copyright ? 2001
OriginalFilename : brss01a.exe
Comments : Brsplproc XP wrapper
Scanning Module:C:\WINNT\System32\brss01a.exe...

#:10 [rundll32.exe]
ModuleName : C:\WINNT\system32\rundll32.exe
Command Line : rundll32.exe "C:\WINNT\system32\ml3216.dll",UMonitor
ProcessID : 1752
ThreadCreationTime : 12-27-2004 4:48:08 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Scanning Module:C:\WINNT\system32\rundll32.exe...
Scanning Module:C:\WINNT\system32\ml3216.dll...

VX2 Object Recognized!
Type : Process
Data : ml3216.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! VX2 Object found in memory(C:\WINNT\system32\ml3216.dll)

Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\WINNT\system32\rundll32.exe"Process terminated successfully

#:11 [ccsetmgr.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
Command Line : n/a
ProcessID : 1824
ThreadCreationTime : 12-27-2004 4:48:09 AM
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe...
Scanning Module:C:\WINNT\system32\MSVCP70.dll...
Scanning Module:C:\WINNT\system32\MSVCR70.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccVrTrst.dll...

#:12 [cisvc.exe]
ModuleName : C:\WINNT\system32\cisvc.exe
Command Line : n/a
ProcessID : 1840
ThreadCreationTime : 12-27-2004 4:48:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe
Scanning Module:C:\WINNT\system32\cisvc.exe...
Scanning Module:C:\WINNT\system32\query.dll...

#:13 [jrunsvc.exe]
ModuleName : C:\CFusionMX\runtime\bin\jrunsvc.exe
Command Line : n/a
ProcessID : 1852
ThreadCreationTime : 12-27-2004 4:48:09 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : Macromedia JRun Application Server
CompanyName : Macromedia Inc.
FileDescription : JRun Service Controller for Windows
InternalName : jrunsvc
LegalCopyright : Copyright © 2002 Macromedia.
OriginalFilename : jrunsvc.exe
Comments : JRun Service Controller for Windows
Scanning Module:C:\CFusionMX\runtime\bin\jrunsvc.exe...

#:14 [jrun.exe]
ModuleName : C:\CFusionMX\runtime\bin\jrun.exe
Command Line : n/a
ProcessID : 1892
ThreadCreationTime : 12-27-2004 4:48:09 AM
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : Macromedia JRun Application Server
CompanyName : Macromedia Inc.
FileDescription : JRun JAR Launcher
InternalName : launcher
LegalCopyright : Copyright © 2002 Macromedia.
OriginalFilename : launcher.exe
Comments : JRun JAR Launcher
Scanning Module:C:\CFusionMX\runtime\bin\jrun.exe...
Scanning Module:C:\CFusionMX\runtime\jre\bin\hotspot\jvm.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\hpi.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\verify.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\java.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\zip.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\net.dll...
Scanning Module:C:\CFusionMX\runtime\lib\wsconfig\jrunwin32.dll...
Scanning Module:C:\CFusionMX\runtime\jre\bin\ioser12.dll...
Scanning Module:C:\CFusionMX\lib\cfindex.dll...
Scanning Module:C:\CFusionMX\lib\vdk200.dll...
Scanning Module:C:\CFusionMX\lib\LIBALLRSEI.dll...
Scanning Module:C:\CFusionMX\lib\PerfmonClient.dll...

#:15 [nmssvc.exe]
ModuleName : C:\WINNT\System32\NMSSvc.exe
Command Line : n/a
ProcessID : 2044
ThreadCreationTime : 12-27-2004 4:48:10 AM
BasePriority : Normal
FileVersion : 2.2.9.0
ProductVersion : 2.2.9.0
ProductName : NMS
CompanyName : Intel Corporation
FileDescription : NMS Module
InternalName : NMS Module
LegalCopyright : Copyright © 2000-2002 Intel Corp. All Rights Reserved
Scanning Module:C:\WINNT\System32\NMSSvc.exe...
Scanning Module:C:\WINNT\System32\NMSSvcPS.DLL...

#:16 [nprotect.exe]
ModuleName : C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
Command Line : n/a
ProcessID : 200
ThreadCreationTime : 12-27-2004 4:48:10 AM
BasePriority : Normal
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
ProductName : Norton Utilities
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
LegalCopyright : Copyright © 2003 Symantec Corporation
LegalTrademarks : Norton Utilities
OriginalFilename : NPROTECT.EXE
Scanning Module:C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE...
Scanning Module:C:\Program Files\Norton AntiVirus\AdvTools\S32KRNLL.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\AdvTools\NUMISC.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\AdvTools\S32UTILL.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\AdvTools\NPComSvr.DLL...

#:17 [nvsvc32.exe]
ModuleName : C:\WINNT\System32\nvsvc32.exe
Command Line : n/a
ProcessID : 168
ThreadCreationTime : 12-27-2004 4:48:10 AM
BasePriority : Normal
FileVersion : 6.14.10.6177
ProductVersion : 6.14.10.6177
ProductName : NVIDIA Driver Helper Service, Version 61.77
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 61.77
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
Scanning Module:C:\WINNT\System32\nvsvc32.exe...

#:18 [prismxl.sys]
ModuleName : C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
Command Line : n/a
ProcessID : 264
ThreadCreationTime : 12-27-2004 4:48:10 AM
BasePriority : Normal
FileVersion : 4.10
ProductVersion : 4.10
ProductName : PrismXL Software Family
CompanyName : Lanovation
FileDescription : PrismXL Service
InternalName : PrismXL Service
LegalCopyright : Copyright © 1997-2002 Lanovation
OriginalFilename : PrismXL.sys
Scanning Module:C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS...

#:19 [svchost.exe]
ModuleName : C:\WINNT\System32\svchost.exe
Command Line : n/a
ProcessID : 976
ThreadCreationTime : 12-27-2004 4:48:15 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
Scanning Module:c:\winnt\system32\wiaservc.dll...
Scanning Module:c:\winnt\system32\CFGMGR32.dll...
Scanning Module:c:\winnt\system32\mscms.dll...
Scanning Module:C:\WINNT\System32\CNQU70.DLL...
Scanning Module:C:\WINNT\system32\N124UFW.DLL...
Scanning Module:C:\WINNT\System32\actxprxy.dll...
Scanning Module:C:\WINNT\System32\sti.dll...

#:20 [symlcsvc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Command Line : n/a
ProcessID : 1168
ThreadCreationTime : 12-27-2004 4:48:15 AM
BasePriority : Normal
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe
Scanning Module:C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcnet.dll...

#:21 [explorer.exe]
ModuleName : C:\WINNT\Explorer.EXE
Command Line : C:\WINNT\Explorer.EXE
ProcessID : 1444
ThreadCreationTime : 12-27-2004 4:48:16 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Scanning Module:C:\WINNT\Explorer.EXE...
Scanning Module:C:\WINNT\system32\BROWSEUI.dll...
Scanning Module:C:\WINNT\system32\SHDOCVW.dll...
Scanning Module:C:\WINNT\System32\themeui.dll...
Scanning Module:C:\WINNT\System32\MSIMG32.dll...
Scanning Module:C:\WINNT\system32\ml3216.dll...

VX2 Object Recognized!
Type : Process
Data : ml3216.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! VX2 Object found in memory(C:\WINNT\system32\ml3216.dll)

Scanning Module:C:\WINNT\system32\mlang.dll...
Scanning Module:C:\WINNT\System32\msls31.dll...
Scanning Module:C:\WINNT\system32\LINKINFO.dll...
Scanning Module:C:\WINNT\system32\ntshrui.dll...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

Scanning Module:C:\Program Files\ScanSoft\OmniPageSE\ophook32.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll...
Scanning Module:C:\WINNT\System32\shdoclc.dll...
Scanning Module:C:\WINNT\System32\msimtf.dll...
Scanning Module:C:\WINNT\System32\MSCTF.dll...
Scanning Module:C:\WINNT\system32\IMM32.DLL...
Scanning Module:C:\WINNT\System32\webcheck.dll...
Scanning Module:C:\WINNT\System32\stobject.dll...
Scanning Module:C:\WINNT\System32\BatMeter.dll...
Scanning Module:C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL...
Scanning Module:C:\WINNT\system32\ctagent.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll...

#:22 [ccevtmgr.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Command Line : n/a
ProcessID : 1580
ThreadCreationTime : 12-27-2004 4:48:16 AM
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe...
Scanning Module:C:\PROGRA~1\COMMON~1\SYMANT~1\CCSETEVT.DLL...
Scanning Module:C:\PROGRA~1\NORTON~1\NAVEVENT.DLL...

#:23 [symwsc.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Command Line : n/a
ProcessID : 1600
ThreadCreationTime : 12-27-2004 4:48:16 AM
BasePriority : Normal
FileVersion : 2005.1.2.20
ProductVersion : 2005.1
ProductName : Norton Security Center
CompanyName : Symantec Corporation
FileDescription : Norton Security Center Service
InternalName : SymWSC.exe
LegalCopyright : Copyright © 1997-2004 Symantec Corporation
OriginalFilename : SymWSC.exe
Scanning Module:C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe...
Scanning Module:C:\WINNT\system32\DBGHELP.DLL...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\Security Center\WSCHlpr.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\Security Center\sscnis7.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\Security Center\sscnis56.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\Security Center\sscnav.dll...
Scanning Module:C:\Program Files\Norton AntiVirus\NAVAPSCR.dll...
Scanning Module:C:\WINNT\system32\ATL70.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\SAVRT32.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\NAVError.dll...
Scanning Module:C:\PROGRA~1\NORTON~1\NAVOpts.dll...
Scanning Module:C:\PROGRA~1\NORTON~1\N32Exclu.dll...
Scanning Module:C:\PROGRA~1\NORTON~1\S32NAVO.DLL...
Scanning Module:C:\WINNT\System32\wbem\wbemprox.dll...
Scanning Module:C:\Program Files\Symantec\LiveUpdate\NetDetectController_2_5.DLL...
Scanning Module:C:\WINNT\System32\mstask.dll...

#:24 [yuowiu.exe]
ModuleName : C:\WINNT\system32\yuowiu.exe
Command Line : C:\WINNT\system32\yuowiu.exe
ProcessID : 2176
ThreadCreationTime : 12-27-2004 4:48:18 AM
BasePriority : Normal

Scanning Module:C:\WINNT\system32\yuowiu.exe...

VX2 Object Recognized!
Type : Process
Data : yuowiu.exe
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! VX2 Object found in memory(C:\WINNT\system32\yuowiu.exe)

"C:\WINNT\system32\yuowiu.exe"Process terminated successfully
"C:\WINNT\system32\yuowiu.exe"Process terminated successfully

#:25 [qagent.exe]
ModuleName : C:\Program Files\QUICKENW\QAGENT.EXE
Command Line : "C:\Program Files\QUICKENW\QAGENT.EXE"
ProcessID : 2248
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
ProductName : Agent Module
FileDescription : Agent Module
InternalName : Agent
LegalCopyright : Copyright 1999
OriginalFilename : Agent.EXE
Scanning Module:C:\Program Files\QUICKENW\QAGENT.EXE...
Scanning Module:C:\Program Files\QUICKENW\CHANNEL.dll...
Scanning Module:C:\Program Files\QUICKENW\mrtProc.dll...
Scanning Module:C:\WINNT\system32\mrtRate.dll...
Scanning Module:C:\Program Files\QUICKENW\mrbupd.dll...
Scanning Module:C:\WINNT\system32\security.dll...
Scanning Module:C:\WINNT\icg32.dll...
Scanning Module:C:\WINNT\Intuit\Shared\iccnfg32.dll...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\QUICKENW\QAGENT.EXE"Process terminated successfully

#:26 [promon.exe]
ModuleName : C:\WINNT\system32\PROMon.exe
Command Line : "C:\WINNT\system32\PROMon.exe"
ProcessID : 2272
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 5.3.42.0
ProductVersion : 5.3.42.0
ProductName : Intel® PROMonitor
CompanyName : Intel Corporation
FileDescription : Intel® PROSet Tray Icon
InternalName : Intel® PROMonitor
LegalCopyright : Copyright © 1998-2002 Intel Corporation.
OriginalFilename : PROMon.exe
Comments : Configures and tests Intel® PRO family of adapters.
Scanning Module:C:\WINNT\system32\PROMon.exe...
Scanning Module:C:\WINNT\system32\NMSAPI.DLL...

#:27 [point32.exe]
ModuleName : C:\Program Files\Microsoft Hardware\Mouse\point32.exe
Command Line : "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
ProcessID : 2280
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal

Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\point32.exe...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\CMTOOL32.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\MSHLOCAL.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\MSLNG32.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Mouse\IP4xBatt.dll...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\Microsoft Hardware\Mouse\point32.exe"Process terminated successfully

#:28 [opware32.exe]
ModuleName : C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
Command Line : "C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"
ProcessID : 2292
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 11.0
ProductVersion : 11.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc
FileDescription : OCR Aware (32-bit)
InternalName : Opware32.exe
LegalCopyright : Copyright © 1995-2000 ScanSoft, Inc
OriginalFilename : Opware32.exe
Scanning Module:C:\Program Files\ScanSoft\OmniPageSE\opware32.exe...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\ScanSoft\OmniPageSE\opware32.exe"Process terminated successfully

#:29 [wkufind.exe]
ModuleName : C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Command Line : "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
ProcessID : 2316
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 7.00.0716.0
ProductVersion : 7.00.0716.0
ProductName : Update Detection Module
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Update Detection
InternalName : WkUFind
LegalCopyright : Copyright © 1987-2002 Microsoft Corporation.
OriginalFilename : WkUFind.exe
Scanning Module:C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe...

#:30 [ituneshelper.exe]
ModuleName : C:\Program Files\iTunes\iTunesHelper.exe
Command Line : "C:\Program Files\iTunes\iTunesHelper.exe"
ProcessID : 2340
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe
Scanning Module:C:\Program Files\iTunes\iTunesHelper.exe...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\iTunes\iTunesHelper.exe"Process terminated successfully

#:31 [type32.exe]
ModuleName : C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
Command Line : "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
ProcessID : 2348
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal

Scanning Module:C:\Program Files\Microsoft Hardware\Keyboard\type32.exe...
Scanning Module:C:\Program Files\Microsoft Hardware\Keyboard\itres.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Keyboard\Type32.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Keyboard\MSHCmd.dll...
Scanning Module:C:\Program Files\Microsoft Hardware\Keyboard\ITHOOK.DLL...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"Process terminated successfully

#:32 [gwmdmmsg.exe]
ModuleName : C:\WINNT\GWMDMMSG.exe
Command Line : "C:\WINNT\GWMDMMSG.exe"
ProcessID : 2364
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 3.4.22 08/06/2002 14:26:16
ProductVersion : 3.4.22 08/06/2002 14:26:16
ProductName : GTW Modem Messaging Applet
CompanyName : GTW
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © GTW 1998-2000
OriginalFilename : smdmstat.exe
Scanning Module:C:\WINNT\GWMDMMSG.exe...

#:33 [cthelper.exe]
ModuleName : C:\WINNT\system32\CTHELPER.EXE
Command Line : "C:\WINNT\system32\CTHELPER.EXE"
ProcessID : 2380
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE
Scanning Module:C:\WINNT\system32\CTHELPER.EXE...
Scanning Module:C:\WINNT\system32\DSOUND.dll...
Scanning Module:C:\WINNT\system32\MFC42.DLL...
Scanning Module:C:\WINNT\system32\KsUser.dll...
Scanning Module:C:\WINNT\system32\ctspkhlp.dll...
Scanning Module:C:\WINNT\CTDCRES.DLL...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\WINNT\system32\CTHELPER.EXE"Process terminated successfully

#:34 [ccapp.exe]
ModuleName : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Command Line : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ProcessID : 2392
ThreadCreationTime : 12-27-2004 4:48:19 AM
BasePriority : Normal
FileVersion : 2.1.3.4
ProductVersion : 2.1.3.4
ProductName : Common Client
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccApp.exe...
Scanning Module:C:\Program Files\Symantec\LiveUpdate\ProductRegCom_2_5.DLL...
Scanning Module:C:\Program Files\Symantec\LiveUpdate\LuComServerPS_2_5.DLL...
Scanning Module:C:\PROGRA~1\COMMON~1\SYMANT~1\CCALERT.DLL...
Scanning Module:C:\PROGRA~1\COMMON~1\SYMANT~1\CCEMLPXY.DLL...
Scanning Module:C:\WINNT\system32\SYMREDIR.dll...
Scanning Module:C:\PROGRA~1\NORTON~1\CCIMSCAN.DLL...
Scanning Module:C:\PROGRA~1\NORTON~1\DEFALERT.DLL...
Scanning Module:C:\PROGRA~1\NORTON~1\NAVAPW32.DLL...
Scanning Module:C:\PROGRA~1\NORTON~1\apwutil.dll...
Scanning Module:C:\PROGRA~1\NORTON~1\SAVRT32.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\NAVOPTRF.DLL...
Scanning Module:C:\Program Files\Norton AntiVirus\apwcmdnt.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccSetEvt.dll...
Scanning Module:C:\Program Files\Common Files\Symantec Shared\ccProSub.dll...
Scanning Module:C:\Program Files\Norton AntiVirus\NavEmail.dll...

#:35 [versioncuetray.exe]
ModuleName : C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
Command Line : "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
ProcessID : 2408
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Normal

Scanning Module:C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe...

#:36 [jusched.exe]
ModuleName : C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
Command Line : "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe"
ProcessID : 2416
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Normal

Scanning Module:C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe...

#:37 [rundll32.exe]
ModuleName : C:\WINNT\system32\RUNDLL32.EXE
Command Line : "C:\WINNT\system32\RUNDLL32.EXE" C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
ProcessID : 2432
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Scanning Module:C:\WINNT\System32\NvMcTray.dll...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\WINNT\system32\RUNDLL32.EXE"Process terminated successfully

#:38 [rundll32.exe]
ModuleName : C:\WINNT\System32\RunDLL32.exe
Command Line : "C:\WINNT\System32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
ProcessID : 2440
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Idle
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\WINNT\System32\RunDLL32.exe"Process terminated successfully

#:39 [acrotray.exe]
ModuleName : C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
Command Line : "C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe"
ProcessID : 2452
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Normal
FileVersion : 6.0.1.2003102300
ProductVersion : 6.0.1.2003102300
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2003 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe
Scanning Module:C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe...
Scanning Module:C:\WINNT\system32\zpueop.dll...

CoolWebSearch Object Recognized!
Type : Process
Data : zpueop.dll
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINNT\system32\


Warning! CoolWebSearch Object found in memory(C:\WINNT\system32\zpueop.dll)

"C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe"Process terminated successfully

#:40 [nkvmon.exe]
ModuleName : C:\Program Files\Nikon\NkView6\NkvMon.exe
Command Line : "C:\Program Files\Nikon\NkView6\NkvMon.exe"
ProcessID : 2476
ThreadCreationTime : 12-27-2004 4:48:20 AM
BasePriority : Normal
FileVersion : 6, 1, 0, 3002
ProductVersion : 6, 1
ProductName : Nikon Monitor
CompanyName : Nikon Corporation
FileDescription : Nikon Monitor
InternalName : NkvMon
LegalCopyright : Copyright © Nikon Corporation. 1998 - 2003
OriginalFilename : NkvMon.exe
Comments : Nikon Monitor
Scanning Module:C:\Program Files\Nikon\NkView6\NkvMon.exe...
Scanning Module:C:\WINNT\system32\MFC70.DLL...
Scanning Module:C:\WINNT\system32&
  • 0

#9
notman
Posted 26 December 2004 - 11:35 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
And this is the HJT log...

Logfile of HijackThis v1.98.2
Scan saved at 9:30:07 PM, on 12/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINNT\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygphug.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINNT\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINNT\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A682A5C-883F-48C5-BDF3-8C38B34DFA76}: NameServer = 192.192.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9806F3B-3513-4670-8910-F5631AC8A632}: NameServer = 192.192.192.1
  • 0

#10
notman
Posted 28 December 2004 - 08:20 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Bumping this up. Hoping someone will look at these logs. Haven't rebooted (or used that computer) since I took them.
  • 0

Advertisements

#11
coachwife6
Posted 28 December 2004 - 08:32 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What is this? You can run hijack this again and get rid of it.

O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINNT\DOWNLO~1\STUMBL~1.DLL/blogimage

reboot into safe mode and get rid of this:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygphug.exe

Clean out your temp. files and reboot and post a new log. how is it running?
  • 0

#12
notman
Posted 28 December 2004 - 09:03 PM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

What is this? You can run hijack this again and get rid of it.

O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINNT\DOWNLO~1\STUMBL~1.DLL/blogimage

reboot into safe mode and get rid of this:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ygphug.exe

Clean out your temp. files and reboot and post a new log. how is it running?

View Post


I think Stumble Upon is legit, but I ditched it anyway. Still seems to slow down a little on log in, but I haven't reconnected it to the router yet. Waiting for a clean scan :tazz:

And thank you, very much, for all your help

Logfile of HijackThis v1.98.2
Scan saved at 7:02:33 PM, on 12/28/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\brsvc01a.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\brss01a.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\cisvc.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\yuowiu.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\WINNT\system32\PROMon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Jeff\Desktop\hijackthis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINNT\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A682A5C-883F-48C5-BDF3-8C38B34DFA76}: NameServer = 192.192.192.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9806F3B-3513-4670-8910-F5631AC8A632}: NameServer = 192.192.192.1
  • 0

#13
coachwife6
Posted 28 December 2004 - 09:48 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
OK. It's mutating.

Turn off system restore.

Run a trojan scan from:

www.moosoft.com or
TDS Diamond

Delete your temp. files.

Reboot into safe mode and get rid of this file. Make sure all files are showing.

C:\WINNT\system32\yuowiu.exe

Delete temp. files again.

Reboot and run hijack this.

You said it was slow on start-up, so I gave you some options to help speed it up on start-up.



The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.


O4 - Startup: PowerReg SchedulerV2.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
(Description: Used with internal modems on Gateway and vprMatrix PCs. This is the "GTW modem messaging applet" and is not required for the modem to work correctly. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Reboot and post a new log.
  • 0

#14
notman
Posted 29 December 2004 - 12:53 AM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

OK. It's mutating.

Turn off system restore.

Run a trojan scan from:

www.moosoft.com or
TDS Diamond

Delete your temp. files.

Reboot into safe mode and get rid of this file. Make sure all files are showing.

C:\WINNT\system32\yuowiu.exe

Delete temp. files again.

Reboot and run hijack this.

You said it was slow on start-up, so I gave you some options to help speed it up on start-up.
The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.
O4 - Startup: PowerReg SchedulerV2.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
(Description: Checks for updates to MS Works. Unnecessary. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
(Description: Used with internal modems on Gateway and vprMatrix PCs. This is the "GTW modem messaging applet" and is not required for the modem to work correctly. Removing this entry will free up some system resources. )

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Reboot and post a new log.

View Post


Should I try to delete what NT Diamond is finding?
  • 0

#15
notman
Posted 29 December 2004 - 01:07 AM

notman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Should I try to delete what NT Diamond is finding?

View Post


Sorry DTS Diamond
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP