Jump to content


Photo

Yet Another CWS Victim


  • Please log in to reply
4 replies to this topic

#1 sithie

sithie

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 01 July 2004 - 10:26 AM

Help, anyone? lol. All updates are up to date, AAW6 is updated, WindowsXP is updated, etc. Here is my full scan:

Note: It only found ONE of the running processes that CWS installed during this scan. Usually there are like 3 different programs running from CWS (I think). They are "syspp32.exe" "sysik32.exe" "atlid.exe", and I think there's one or two other one's whose name escapes me at the moment. Whenever I close one of them, the other ones start. Whenever I open IE, they all start lol.

Anyway, here is the full scan:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, July 01, 2004 11:00:29 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R325 27.06.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R325 27.06.2004
Internal build : 257
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1274298 Bytes
Signature data size : 1253786 Bytes
Reference data size : 20448 Bytes
Signatures total : 27864
Target categories : 10
Target families : 507

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:58 %
Total physical memory:785904 kb
Available physical memory:452004 kb
Total page file size:1086372 kb
Available on page file:886924 kb
Total virtual memory:2097024 kb
Available virtual memory:2048844 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-1-2004 11:00:29 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-30-2004 3:34:53 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:34:56 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:34:56 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/3/2002 4:44:18 AM
Last accessed : 7/1/2004 3:00:29 PM
Last modified : 8/18/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:34:56 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/3/2002 4:43:55 AM
Last accessed : 7/1/2004 3:00:29 PM
Last modified : 8/29/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:34:56 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/3/2002 4:44:22 AM
Last accessed : 7/1/2004 3:00:29 PM
Last modified : 8/18/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-30-2004 3:34:56 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/3/2002 4:44:22 AM
Last accessed : 7/1/2004 3:00:29 PM
Last modified : 8/18/2001 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:34:58 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/3/2002 4:44:20 AM
Last accessed : 7/1/2004 3:00:29 PM
Last modified : 8/18/2001 12:00:00 PM

#:8 [packethsvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-30-2004 3:36:05 AM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 6, 0, 0, 6
ProductVersion : 6, 0, 0, 6
Copyright : Copyright © America Online, Inc. 1999 - 2001
CompanyName : America Online, Inc.
FileDescription : Virtual Adapter Service
InternalName : Virtual Adapter Service
OriginalFilename : PackethSvc.exe
ProductName : America Online
Created on : 4/30/2003 7:05:36 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 8/9/2001 8:46:44 PM

#:9 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 6-30-2004 3:36:05 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 7.60.00.926
ProductVersion : 7.60.00.926
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 9/24/2001 12:59:00 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 9/24/2001 12:59:00 PM

#:10 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 6-30-2004 3:36:05 AM
BasePriority : Normal
FileSize : 444 KB
FileVersion : 7.60.00.926
ProductVersion : 7.60.00.926
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 9/24/2001 12:59:00 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 9/24/2001 12:59:00 PM

#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-30-2004 3:36:05 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 6.14.10.5672
ProductVersion : 6.14.10.5672
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 56.72
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 56.72
Created on : 3/24/2004 2:04:00 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 3/24/2004 2:04:00 PM

#:12 [slserv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-30-2004 3:36:08 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
Copyright : Copyright
FileDescription : User-Level Modem Service
InternalName : slserv
OriginalFilename : slserv.exe
ProductName : Modem
Created on : 8/3/2002 4:45:11 AM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 11/29/2001 11:09:28 PM

#:13 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-30-2004 3:36:08 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 5/22/2003 7:44:01 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 7/30/2002 7:16:20 PM

#:14 [msgsys.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-30-2004 3:36:22 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 6.0.201.0940 E
ProductVersion : 6.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : CBA -- Message System
InternalName : MsgExe
OriginalFilename : MsgSys.EXE
ProductName : Intel Common Base Agent
Created on : 9/18/2000 10:12:40 PM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 9/18/2000 10:12:40 PM

#:15 [soundman.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-30-2004 3:36:26 AM
BasePriority : Normal
FileSize : 45 KB
FileVersion : 5.0
ProductVersion : 5.0
Copyright : Copyright © 2001 Avance Logic, Inc.
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Manager
InternalName : ALSMTray
OriginalFilename : ALSMTray.exe
ProductName : Avance Sound Manager
Created on : 8/3/2002 5:37:04 AM
Last accessed : 7/1/2004 3:00:30 PM
Last modified : 6/27/2002 5:00:04 PM

#:16 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 6-30-2004 3:36:27 AM
BasePriority : Normal
FileSize : 1080 KB
FileVersion : 3.37.0
ProductVersion : 3.37.0
Copyright : Copyright © ahead software gmbh and its licensors
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
OriginalFilename : InCD.EXE
ProductName : InCD
Created on : 2/8/2003 1:38:26 PM
Last accessed : 7/1/2004 2:54:01 PM
Last modified : 8/21/2002 8:59:32 AM

#:17 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 6-30-2004 3:36:28 AM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 7.60.00.926
ProductVersion : 7.60.00.926
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 9/24/2001 12:59:00 PM
Last accessed : 7/1/2004 3:00:31 PM
Last modified : 9/24/2001 12:59:00 PM

#:18 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-30-2004 11:36:30 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 2/2/2004 3:38:55 AM
Last accessed : 7/1/2004 2:27:01 PM
Last modified : 8/29/2002 10:41:24 AM

#:19 [sysik32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-1-2004 2:04:09 AM
BasePriority : Normal
FileSize : 26 KB
Created on : 6/12/2004 12:35:37 PM
Last accessed : 7/1/2004 2:59:29 PM
Last modified : 6/12/2004 12:35:37 PM

#:20 [sdkxc32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-1-2004 2:32:49 AM
BasePriority : Normal
FileSize : 9 KB
Created on : 6/16/2004 11:50:27 PM
Last accessed : 7/1/2004 3:00:31 PM
Last modified : 6/16/2004 11:50:27 PM
Warning! CoolWebSearch object found in memory(C:\WINDOWS\system32\sdkxc32.exe)

CoolWebSearch Object recognized!
Type : Process
Data : sdkxc32.exe
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileSize : 9 KB
Created on : 6/16/2004 11:50:27 PM
Last accessed : 7/1/2004 3:00:31 PM
Last modified : 6/16/2004 11:50:27 PM


"sdkxc32.exe"Process terminated successfully.

#:21 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 7-1-2004 4:50:41 AM
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 5/23/2004 12:40:59 AM
Last accessed : 7/1/2004 3:00:31 PM
Last modified : 5/23/2004 12:40:59 AM

#:22 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 7-1-2004 2:26:57 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 2/2/2004 3:39:48 AM
Last accessed : 7/1/2004 2:27:00 PM
Last modified : 8/29/2002 10:41:26 AM

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-1-2004 2:49:28 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 10/27/2003 1:49:25 AM
Last accessed : 7/1/2004 2:49:29 PM
Last modified : 7/13/2003 3:00:20 AM

#:24 [msiexec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-1-2004 2:54:50 PM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 2.0.2600.1106
ProductVersion : 2.0.2600.1106
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows
InternalName : msiexec
OriginalFilename : msiexec.exe
ProductName : Windows Installer - Unicode
Created on : 2/2/2004 3:44:02 AM
Last accessed : 7/1/2004 2:54:50 PM
Last modified : 8/29/2002 10:41:26 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 1


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 1


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://kwtad.dll/index.html#96676"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://kwtad.dll/index.html#96676"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://kwtad.dll/index.html#96676"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://kwtad.dll/index.html#96676"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://kwtad.dll/index.html#96676"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://kwtad.dll/index.html#96676"


CoolWebSearch Object recognized!
Type : RegValue
Data : c:\windows\mfcit32.exe
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\RunOnce
Value : mfcit32.exe


CoolWebSearch Object recognized!
Type : File
Data : mfcit32.exe
Category : Malware
Comment :
Object : c:\windows\
FileSize : 9 KB
Created on : 6/16/2004 11:49:31 PM
Last accessed : 7/1/2004 3:01:55 PM
Last modified : 6/16/2004 11:49:31 PM



CoolWebSearch Object recognized!
Type : RegValue
Data : c:\windows\system32\sdkxc32.exe
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\RunOnce
Value : sdkxc32.exe


CoolWebSearch Object recognized!
Type : RegValue
Data : c:\windows\system32\sysnd32.exe
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\RunOnce
Value : sysnd32.exe


CoolWebSearch Object recognized!
Type : File
Data : sysnd32.exe
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 9 KB
Created on : 6/9/2004 6:26:04 PM
Last accessed : 7/1/2004 3:01:56 PM
Last modified : 6/9/2004 6:26:04 PM



Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 6
Objects found so far: 9


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@advertising[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 5:30:06 AM
Last accessed : 7/1/2004 2:35:15 PM
Last modified : 7/1/2004 2:35:15 PM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 2:48:59 AM
Last accessed : 7/1/2004 2:35:15 PM
Last modified : 7/1/2004 2:48:59 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@bluestreak[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 3:02:48 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 3:02:48 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 2:48:59 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 2:49:18 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\
FileSize : 1 KB
Created on : 7/1/2004 2:56:28 PM
Last accessed : 7/1/2004 2:56:28 PM
Last modified : 7/1/2004 2:56:28 PM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@ehg-planetout.hitbox[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\
FileSize : 1 KB
Created on : 7/1/2004 5:11:32 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 5:23:38 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@hitbox[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 5:11:32 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 5:23:38 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@maxserving[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 5:29:51 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 5:30:05 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 2:51:19 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 2:51:19 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@servedby.advertising[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 5:30:05 AM
Last accessed : 7/1/2004 2:35:15 PM
Last modified : 7/1/2004 2:35:15 PM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@stat.onestat[2].txt
Category : Data Miner
Comment : www.searchtraffic.com
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 5:29:42 AM
Last accessed : 7/1/2004 3:06:14 PM
Last modified : 7/1/2004 5:29:42 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@stats1.clicktracks[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 2:57:43 AM
Last accessed : 7/1/2004 3:06:15 PM
Last modified : 7/1/2004 2:57:43 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@tribalfusion[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 3:01:53 AM
Last accessed : 7/1/2004 3:06:15 PM
Last modified : 7/1/2004 3:01:53 AM



Tracking Cookie Object recognized!
Type : File
Data : kevin kiehl@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Kevin Kiehl\Cookies\

Created on : 7/1/2004 3:01:53 AM
Last accessed : 7/1/2004 3:06:15 PM
Last modified : 7/1/2004 3:01:53 AM



CoolWebSearch Object recognized!
Type : File
Data : apifd.exe
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileSize : 9 KB
Created on : 6/17/2004 6:07:45 AM
Last accessed : 7/1/2004 3:02:21 PM
Last modified : 6/17/2004 6:07:45 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 24


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 3
Objects found so far: 27


11:25:02 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:24:32:266
Objects scanned :238150
Objects identified :27
Objects ignored :0
New objects :27

------------------

And that's the end of it. Please help me destroy this terrible CWS!! CWS MUST DIE!!! lol.

#2 The Fist

The Fist

    Member

  • Full Member
  • Pip
  • 50 posts

Posted 01 July 2004 - 10:43 AM

Please read the FAQ (link at the top of the page). Then download Hijack This into its own permanent directory (e.g. c:\HJT), run Hijack This and post the Hijack This log. Don't post an Ad-Aware log unless someone asks for it.

Good Luck.

#3 sithie

sithie

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 01 July 2004 - 10:45 AM

My HJT Logfile:

Logfile of HijackThis v1.98.0
Scan saved at 11:44:28 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\sysik32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\WINDOWS\system32\apifd.exe
C:\Program Files\aim\aim.exe
C:\NEW DLoads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kwtad.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://kwtad.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kwtad.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kwtad.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kwtad.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kwtad.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2FD6FA5C-0926-8DFD-5D77-4533A2EF1BD2} - C:\WINDOWS\apisr32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\aim\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [sysik32.exe] C:\WINDOWS\system32\sysik32.exe
O4 - HKLM\..\RunOnce: [sdkfo.exe] C:\WINDOWS\sdkfo.exe
O4 - HKLM\..\RunOnce: [WMC_0] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\System32\mp4sds32.ax"
O4 - HKLM\..\RunOnce: [appmx32.exe] C:\WINDOWS\system32\appmx32.exe
O4 - HKLM\..\RunOnce: [atlid32.exe] C:\WINDOWS\atlid32.exe
O4 - HKLM\..\RunOnce: [mfcit32.exe] C:\WINDOWS\mfcit32.exe
O4 - HKLM\..\RunOnce: [sdkxc32.exe] C:\WINDOWS\system32\sdkxc32.exe
O4 - HKLM\..\RunOnce: [sysnd32.exe] C:\WINDOWS\system32\sysnd32.exe
O4 - HKLM\..\RunOnce: [apifd.exe] C:\WINDOWS\system32\apifd.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#4 sithie

sithie

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 01 July 2004 - 11:52 AM

bumpity bump.. Help anyone?

#5 sithie

sithie

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 01 July 2004 - 12:06 PM

I've been having some abnormal behavior with my freakin Notepad.exe too lol. After I open notepad, it just closes at a random time. I tried opening multiple notepads to see what would happen, and again, after a random time has elapsed notepad closed again. (The time elapsed is usually under 4 minutes before notepad.exe closes). Ehh.. Die CWS, die.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button