• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
headshell

hijacked help please

10 posts in this topic

I ran adaware and spybot search and destroy.

Thanks

 

 

Logfile of HijackThis v1.97.7

Scan saved at 4:10:52 PM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\myCIO\Agent\myAgtSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TSIRCSRV.EXE

C:\WINDOWS\system32\winnd.exe

C:\WINDOWS\myCIO\VScan\McShield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\myCIO\Agent\myagttry.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\msud32.exe

C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

res://jaqbt.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

res://jaqbt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

res://jaqbt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129

O2 - BHO: (no name) - {147B64BE-6EFA-DCA0-9281-0618E872C1A2} -

C:\WINDOWS\system32\winqu.dll

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer

A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe

O4 - HKLM\..\Run: [winqu.exe] C:\WINDOWS\system32\winqu.exe

O4 - HKLM\..\Run: [msud32.exe] C:\WINDOWS\msud32.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O9 - Extra button: AIM (HKLM)

O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} -

http://virusscanasap.mcafeeasap.com/VS2/bin/myCioAgt.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:

NameServer =

O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:

NameServer =

O17 - HKLM\System\CS3\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:

NameServer =

Share this post


Link to post
Share on other sites

Hello headshell,

 

Sorry for the wait. Try this:

Please download About:Buster and unzip it to your desktop.

Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

Share this post


Link to post
Share on other sites

Ok. Here we go.

thx,

 

 

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\apiwp.exe

Removed! : C:\WINDOWS\arrusi.dat

Removed! : C:\WINDOWS\aujnap.dat

Removed! : C:\WINDOWS\belcve.dat

Removed! : C:\WINDOWS\brwrs.dat

Removed! : C:\WINDOWS\bujqfo.dat

Removed! : C:\WINDOWS\corwau.dat

Removed! : C:\WINDOWS\drbtna.dat

Removed! : C:\WINDOWS\gauqjj.dat

Removed! : C:\WINDOWS\gdjjn.dat

Removed! : C:\WINDOWS\ggiwxq.dat

Removed! : C:\WINDOWS\hsibm.dll

Removed! : C:\WINDOWS\iadwyk.dat

Removed! : C:\WINDOWS\ibsfay.dat

Removed! : C:\WINDOWS\ieax32.exe

Removed! : C:\WINDOWS\ijgexz.dat

Removed! : C:\WINDOWS\iktcgy.dat

Removed! : C:\WINDOWS\joazrd.dat

Removed! : C:\WINDOWS\jrzfdb.dat

Removed! : C:\WINDOWS\kmrbkf.dat

Removed! : C:\WINDOWS\kndzbf.dat

Removed! : C:\WINDOWS\kuppcs.dat

Removed! : C:\WINDOWS\lcrbqh.dat

Removed! : C:\WINDOWS\lpkpm.dat

Removed! : C:\WINDOWS\lpkpm.dll

Removed! : C:\WINDOWS\lttiho.dat

Removed! : C:\WINDOWS\lwyham.dat

Removed! : C:\WINDOWS\mdhcrs.dat

Removed! : C:\WINDOWS\mfhlpz.dat

Removed! : C:\WINDOWS\msup.exe

Removed! : C:\WINDOWS\nhdeq.dll

Removed! : C:\WINDOWS\nhxfz.dat

Removed! : C:\WINDOWS\nofjjp.dat

Removed! : C:\WINDOWS\nrybtu.dat

Removed! : C:\WINDOWS\ntgyqd.dat

Removed! : C:\WINDOWS\nxcupc.dat

Removed! : C:\WINDOWS\n_corwau.dat

Removed! : C:\WINDOWS\ooryey.dat

Removed! : C:\WINDOWS\oymiah.dat

Removed! : C:\WINDOWS\pewsbk.dat

Removed! : C:\WINDOWS\qdlge.dat

Removed! : C:\WINDOWS\qippvr.dat

Removed! : C:\WINDOWS\qiuwsz.dat

Removed! : C:\WINDOWS\qnlazn.dat

Removed! : C:\WINDOWS\rrqvb.dll

Removed! : C:\WINDOWS\rxjmva.dat

Removed! : C:\WINDOWS\shzoaf.dat

Removed! : C:\WINDOWS\sijmui.dat

Removed! : C:\WINDOWS\slflff.dat

Removed! : C:\WINDOWS\slnnt.dat

Removed! : C:\WINDOWS\tacjih.dat

Removed! : C:\WINDOWS\tkrlnl.dat

Removed! : C:\WINDOWS\udmnwi.dat

Removed! : C:\WINDOWS\uvbmna.dat

Removed! : C:\WINDOWS\vjjrlu.dat

Removed! : C:\WINDOWS\vpndju.dat

Removed! : C:\WINDOWS\vtvcw.dat

Removed! : C:\WINDOWS\vvdrwg.dat

Removed! : C:\WINDOWS\wmcoyb.dat

Removed! : C:\WINDOWS\wqkcjk.dat

Removed! : C:\WINDOWS\xoyyo.dat

Removed! : C:\WINDOWS\xtqdc.dat

Removed! : C:\WINDOWS\xvtee.dat

Removed! : C:\WINDOWS\yguju.dat

Removed! : C:\WINDOWS\zehwk.dll

Removed! : C:\WINDOWS\zlaqlc.dat

Removed! : C:\WINDOWS\System32\appoy32.exe

Removed! : C:\WINDOWS\System32\bikgj.dat

Removed! : C:\WINDOWS\System32\czqxm.dat

Removed! : C:\WINDOWS\System32\dfuna.dat

Removed! : C:\WINDOWS\System32\eimjm.dat

Removed! : C:\WINDOWS\System32\eqeek.dat

Removed! : C:\WINDOWS\System32\gszku.dat

Removed! : C:\WINDOWS\System32\jaqbt.dat

Removed! : C:\WINDOWS\System32\mefif.dat

Removed! : C:\WINDOWS\System32\moykg.dat

Removed! : C:\WINDOWS\System32\qhkzj.dat

Removed! : C:\WINDOWS\System32\sxkzj.dat

Removed! : C:\WINDOWS\System32\veawh.dll

Removed! : C:\WINDOWS\System32\wiygp.dat

Removed! : C:\WINDOWS\System32\ywohj.dat

Attempted Clean Of Temp folder.

Removed LEGACY___NS_Service_3 Key

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

 

-----------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7

Scan saved at 11:06:27 AM, on 7/13/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\myCIO\Agent\myAgtSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TSIRCSRV.EXE

C:\WINDOWS\apiii32.exe

C:\WINDOWS\system32\mfcnh.exe

C:\WINDOWS\myCIO\VScan\McShield.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\myCIO\Agent\myagttry.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://veawh.dll/index.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://veawh.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://veawh.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129

O2 - BHO: (no name) - {BC18EDB1-7152-4300-9435-4B195A2401DF} - C:\WINDOWS\system32\mfcsc.dll

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe

O4 - HKLM\..\Run: [appoy32.exe] C:\WINDOWS\system32\appoy32.exe

O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKLM\..\RunOnce: [sdkka32.exe] C:\WINDOWS\system32\sdkka32.exe

O4 - HKLM\..\RunOnce: [sdklv.exe] C:\WINDOWS\system32\sdklv.exe

O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe

O4 - HKLM\..\RunOnce: [mspd.exe] C:\WINDOWS\mspd.exe

O4 - HKLM\..\RunOnce: [mshv32.exe] C:\WINDOWS\mshv32.exe

O4 - HKLM\..\RunOnce: [ipnd.exe] C:\WINDOWS\system32\ipnd.exe

O9 - Extra button: AIM (HKLM)

O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://virusscanasap.mcafeeasap.com/VS2/bin/myCioAgt.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39

O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39

Share this post


Link to post
Share on other sites

Hello headshell,

 

Let's try it this way. I know you have Ad-aware, so please set it up this way:

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

___________

 

Now, reboot to Safe Mode (tap F8 while restarting).

 

Then open Hijackthis, click Scan, then put a check next to the following entries:

 

O2 - BHO: (no name) - {BC18EDB1-7152-4300-9435-4B195A2401DF} - C:\WINDOWS\system32\mfcsc.dll

 

O4 - HKLM\..\Run: [appoy32.exe] C:\WINDOWS\system32\appoy32.exe

O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe

O4 - HKLM\..\RunOnce: [sdkka32.exe] C:\WINDOWS\system32\sdkka32.exe

O4 - HKLM\..\RunOnce: [sdklv.exe] C:\WINDOWS\system32\sdklv.exe

O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe

O4 - HKLM\..\RunOnce: [mspd.exe] C:\WINDOWS\mspd.exe

O4 - HKLM\..\RunOnce: [mshv32.exe] C:\WINDOWS\mshv32.exe

O4 - HKLM\..\RunOnce: [ipnd.exe] C:\WINDOWS\system32\ipnd.exe

 

 

Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

 

- - - - - - - -

 

Then, while still in safe mode, run About:Buster.

Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)

Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

- - - - - - - -

 

Now run Ad-aware, while still in safe mode.

 

_________

 

Then, reboot normally and take a free on-line scan at HouseCall

 

 

After you do the above, please post a new HJT log, and your About Buster log.

Share this post


Link to post
Share on other sites

Autodad,

Its been a couple weeks seen I've been able to get back to this but here we go.

 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

1st ad-aware log.

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Friday, July 30, 2004 10:44:42 AM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R334 24.07.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R334 24.07.2004

Internal build : 268

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 1316091 Bytes

Signature data size : 1295051 Bytes

Reference data size : 20976 Bytes

Signatures total : 28648

Target categories : 10

Target families : 528

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:63 %

Total physical memory:522240 kb

Available physical memory:324056 kb

Total page file size:1277048 kb

Available on page file:1123756 kb

Total virtual memory:2097024 kb

Available virtual memory:2053732 kb

OS:

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

7-30-2004 10:44:42 AM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 7-30-2004 2:20:51 PM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:54 PM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:55 PM

BasePriority : Normal

FileSize : 99 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft

Created on : 3/19/2004 10:42:30 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:42:30 PM

 

#:4 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:55 PM

BasePriority : Normal

FileSize : 11 KB

FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)

ProductVersion : 5.1.2600.1106

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

OriginalFilename : lsass.exe

ProductName : Microsoft

Created on : 3/19/2004 10:38:40 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:38:40 PM

 

#:5 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:55 PM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 3/19/2004 10:43:22 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:43:22 PM

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-30-2004 2:20:55 PM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 3/19/2004 10:43:22 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:43:22 PM

 

#:7 [lexbces.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:56 PM

BasePriority : Normal

FileSize : 296 KB

FileVersion : 8.16

ProductVersion : 8.16

Copyright : © 1993 - 2003 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : LexBce Service

InternalName : LexBce Service

OriginalFilename : LexBceS.exe

ProductName : MarkVision for Windows (32 bit)

Created on : 6/2/2003 4:01:26 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/2/2003 4:01:26 PM

 

#:8 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:56 PM

BasePriority : Normal

FileSize : 50 KB

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

OriginalFilename : spoolsv.exe

ProductName : Microsoft

Created on : 3/19/2004 10:43:06 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:43:06 PM

 

#:9 [lexpps.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:20:56 PM

BasePriority : Normal

FileSize : 170 KB

FileVersion : 8.16

ProductVersion : 8.16

Copyright : © 1993 - 2003 Lexmark International, Inc.

CompanyName : Lexmark International, Inc.

FileDescription : LEXPPS.EXE

InternalName : LEXPPS

OriginalFilename : LEXPPS.EXE

ProductName : MarkVision for Windows (32 bit)

Created on : 6/2/2003 3:56:02 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/2/2003 3:56:02 PM

 

#:10 [cisvc.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:21:02 PM

BasePriority : Normal

FileSize : 5 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Content Index service

InternalName : cisvc.exe

OriginalFilename : cisvc.exe

ProductName : Microsoft

Created on : 3/19/2004 10:34:26 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:34:26 PM

 

#:11 [myagtsvc.exe]

FilePath : C:\WINDOWS\myCIO\Agent\

ThreadCreationTime : 7-30-2004 2:21:03 PM

BasePriority : Normal

FileSize : 68 KB

FileVersion : 2.7.2.211

ProductVersion : 2.7.2

CompanyName : Network Associates, Inc.

FileDescription : myAgtSvc Module

InternalName : myAgtSvc

OriginalFilename : myAgtSvc.exe

ProductName : McAfee

Created on : 6/30/2004 6:34:57 PM

Last accessed : 7/30/2004 5:31:25 PM

Last modified : 3/19/2004 9:07:20 AM

 

#:12 [explorer.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 7-30-2004 2:21:06 PM

BasePriority : Normal

FileSize : 980 KB

FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)

ProductVersion : 6.00.2800.1106

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft

Created on : 3/19/2004 10:37:14 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:37:14 PM

 

#:13 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-30-2004 2:21:07 PM

BasePriority : Normal

FileSize : 12 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft

Created on : 3/19/2004 10:43:22 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:43:22 PM

 

#:14 [tsircsrv.exe]

FilePath : C:\WINDOWS\System32\

ThreadCreationTime : 7-30-2004 2:21:07 PM

BasePriority : Normal

FileSize : 100 KB

FileVersion : 14,500,3200,0

ProductVersion : 11,05,32,00

Copyright : Copyright

CompanyName : LapLink, Inc.

FileDescription : Remote Control Component

InternalName : TSIRCSRV

OriginalFilename : TSIRCSRV.EXE

ProductName : LAPLINK GOLD

Created on : 7/1/2004 3:13:31 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/19/2003 12:22:14 AM

 

#:15 [apiii32.exe]

FilePath : C:\WINDOWS\

ThreadCreationTime : 7-30-2004 2:21:07 PM

BasePriority : Normal

FileSize : 9 KB

Created on : 6/19/2004 10:18:36 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/19/2004 10:18:36 PM

 

#:16 [mcshield.exe]

FilePath : C:\WINDOWS\myCIO\VScan\

ThreadCreationTime : 7-30-2004 2:21:12 PM

BasePriority : High

FileSize : 232 KB

FileVersion : 7.1.0.136

ProductVersion : 7.1.0

Copyright : Copyright

CompanyName : Network Associates, Inc.

FileDescription : On-Access Scanner service

ProductName : VirusScan (Enterprise, ASaP & Retail.)

Created on : 6/30/2004 6:35:26 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 9:07:20 AM

 

#:17 [dlbkbmgr.exe]

FilePath : C:\Program Files\Dell AIO Printer A920\

ThreadCreationTime : 7-30-2004 2:21:34 PM

BasePriority : Normal

FileSize : 264 KB

FileVersion : 0.1.1.1

ProductVersion : 0.1.1.1

CompanyName : Dell Computer Corporation

FileDescription : Dell AIO Printer A920Button Manager

InternalName : dlbkbmgr.exe

OriginalFilename : dlbkbmgr.exe

ProductName : Button Manager Executable

Created on : 6/2/2003 6:25:24 PM

Last accessed : 7/30/2004 5:20:53 PM

Last modified : 6/2/2003 6:25:24 PM

 

#:18 [myagttry.exe]

FilePath : C:\WINDOWS\myCIO\Agent\

ThreadCreationTime : 7-30-2004 2:21:34 PM

BasePriority : Normal

FileSize : 60 KB

FileVersion : 2.8.0.201

ProductVersion : 2.8.0

CompanyName : Network Associates, Inc.

FileDescription : myAgtTry Module

InternalName : myAgtTry

OriginalFilename : myAgtTry.exe

ProductName : McAfee

Created on : 6/30/2004 6:34:57 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/28/2004 9:08:00 AM

 

#:19 [mfcnh.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:21:34 PM

BasePriority : Normal

FileSize : 26 KB

Created on : 6/15/2004 8:26:36 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/15/2004 8:26:36 PM

 

#:20 [viewmgr.exe]

FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\

ThreadCreationTime : 7-30-2004 2:21:34 PM

BasePriority : Normal

FileSize : 100 KB

FileVersion : 1, 0, 0, 43

ProductVersion : 1, 0, 0, 43

Copyright : Copyright

CompanyName : Viewpoint Corporation

FileDescription : ViewMgr

InternalName : Viewpoint Manager

OriginalFilename : ViewMgr.exe

ProductName : Viewpoint Manager

Created on : 7/22/2004 11:24:59 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 4/19/2004 4:06:56 PM

 

#:21 [dlbkbmon.exe]

FilePath : C:\Program Files\Dell AIO Printer A920\

ThreadCreationTime : 7-30-2004 2:21:34 PM

BasePriority : Normal

FileSize : 52 KB

FileVersion : 0.1.1.1

ProductVersion : 0.1.1.1

CompanyName : Dell Computer Corporation

FileDescription : Dell AIO Printer A920Button Monitor

InternalName : dlbkbmon.exe

OriginalFilename : dlbkbmon.exe

ProductName : Button Monitor Executable

Created on : 6/2/2003 6:50:58 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 6/2/2003 6:50:58 PM

 

#:22 [cidaemon.exe]

FilePath : C:\WINDOWS\system32\

ThreadCreationTime : 7-30-2004 2:28:41 PM

BasePriority : Idle

FileSize : 8 KB

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

CompanyName : Microsoft Corporation

FileDescription : Indexing Service filter daemon

InternalName : cidaemon.exe

OriginalFilename : cidaemon.exe

ProductName : Microsoft

Created on : 3/19/2004 10:34:24 PM

Last accessed : 7/30/2004 5:44:42 PM

Last modified : 3/19/2004 10:34:24 PM

 

#:23 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 7-30-2004 5:36:36 PM

BasePriority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 6/29/2004 11:04:29 PM

Last accessed : 7/30/2004 5:36:36 PM

Last modified : 7/13/2003 5:00:20 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://zhddi.dll/index.html#28129"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "res://zhddi.dll/index.html#28129"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://zhddi.dll/index.html#28129"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "res://zhddi.dll/index.html#28129"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://zhddi.dll/index.html#28129"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Default_Page_URL

Data : "res://zhddi.dll/index.html#28129"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 3

Objects found so far: 3

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-125304-989.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 3/27/2004 12:39:08 AM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 3/27/2004 12:39:08 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-150532-365.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 2/25/2004 12:28:47 PM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 2/25/2004 12:28:47 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-150705-153.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 2/25/2004 12:28:47 PM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 2/25/2004 12:28:47 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-151747-720.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 1/26/2004 12:18:25 AM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 1/26/2004 12:18:25 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-152249-540.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 12/26/2003 12:08:04 PM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 12/26/2003 12:08:04 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-160606-554.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 11/25/2003 11:57:42 PM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 11/25/2003 11:57:42 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040706-161145-180.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\

FileSize : 89 KB

Created on : 10/26/2003 11:47:21 AM

Last accessed : 7/30/2004 5:46:08 PM

Last modified : 10/26/2003 11:47:21 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : backup-20040701-124531-583.dll

Category : Malware

Comment :

Object : C:\Documents and Settings\Jeff Nichols\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\backups\

FileSize : 89 KB

Created on : 6/11/2004 7:24:43 AM

Last accessed : 7/30/2004 5:46:10 PM

Last modified : 6/11/2004 7:24:43 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002208.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 3/27/2004 12:39:08 AM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 3/27/2004 12:39:08 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002266.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 2/25/2004 12:28:47 PM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 2/25/2004 12:28:47 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002268.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 5/22/2004 2:27:30 PM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 5/22/2004 2:27:30 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002269.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 6/22/2004 2:37:52 AM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 6/22/2004 2:37:52 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002280.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 6/26/2004 1:10:12 PM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 6/26/2004 1:10:12 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002287.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 5/27/2004 12:59:51 AM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 5/27/2004 12:59:51 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002293.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 1/26/2004 12:18:25 AM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 1/26/2004 12:18:25 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002301.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 89 KB

Created on : 12/26/2003 12:08:04 PM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 12/26/2003 12:08:04 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002331.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 6/23/2004 5:40:59 PM

Last accessed : 7/30/2004 5:50:06 PM

Last modified : 6/23/2004 5:40:59 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002332.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 6/23/2004 11:08:16 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/23/2004 11:08:16 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002333.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 69 KB

Created on : 6/20/2004 7:54:22 PM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/20/2004 7:54:22 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002334.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 69 KB

Created on : 6/27/2004 1:32:39 PM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/27/2004 1:32:39 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002335.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 9 KB

Created on : 7/1/2004 2:20:37 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 7/1/2004 2:20:37 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002336.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 6/20/2004 3:51:00 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/20/2004 3:51:00 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002337.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 6/25/2004 1:08:37 PM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/25/2004 1:08:37 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002338.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 69 KB

Created on : 6/10/2004 12:38:12 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/10/2004 12:38:12 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002339.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 69 KB

Created on : 6/24/2004 8:44:02 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/24/2004 8:44:02 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002340.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 5/22/2004 2:27:30 PM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 5/22/2004 2:27:30 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002342.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 9 KB

Created on : 6/12/2004 7:28:52 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 6/12/2004 7:28:52 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002343.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 69 KB

Created on : 7/7/2004 7:53:50 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 7/7/2004 7:53:50 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002344.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 5/24/2004 5:30:38 AM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 5/24/2004 5:30:38 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002352.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\

FileSize : 26 KB

Created on : 7/2/2004 11:59:01 PM

Last accessed : 7/30/2004 5:50:07 PM

Last modified : 7/2/2004 11:59:01 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002365.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP12\

FileSize : 26 KB

Created on : 7/2/2004 5:34:43 AM

Last accessed : 7/30/2004 5:50:08 PM

Last modified : 7/2/2004 5:34:43 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002366.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP12\

FileSize : 69 KB

Created on : 7/7/2004 7:59:04 AM

Last accessed : 7/30/2004 5:50:08 PM

Last modified : 7/7/2004 7:59:04 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002374.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\

FileSize : 9 KB

Created on : 7/1/2004 9:06:27 PM

Last accessed : 7/30/2004 5:50:09 PM

Last modified : 7/1/2004 9:06:27 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002375.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\

FileSize : 69 KB

Created on : 7/2/2004 6:58:38 PM

Last accessed : 7/30/2004 5:50:09 PM

Last modified : 7/2/2004 6:58:38 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002392.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\

FileSize : 26 KB

Created on : 6/5/2004 11:07:23 AM

Last accessed : 7/30/2004 5:50:09 PM

Last modified : 6/5/2004 11:07:23 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002399.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\

FileSize : 9 KB

Created on : 7/4/2004 11:17:32 PM

Last accessed : 7/30/2004 5:50:10 PM

Last modified : 7/4/2004 11:17:32 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002400.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\

FileSize : 69 KB

Created on : 7/8/2004 10:01:11 AM

Last accessed : 7/30/2004 5:50:10 PM

Last modified : 7/8/2004 10:01:11 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002401.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\

FileSize : 26 KB

Created on : 5/21/2004 9:02:00 AM

Last accessed : 7/30/2004 5:50:10 PM

Last modified : 5/21/2004 9:02:00 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003595.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\

FileSize : 69 KB

Created on : 7/8/2004 10:10:34 AM

Last accessed : 7/30/2004 5:50:39 PM

Last modified : 7/8/2004 10:10:34 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003606.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\

FileSize : 9 KB

Created on : 6/13/2004 4:38:08 PM

Last accessed : 7/30/2004 5:50:39 PM

Last modified : 6/13/2004 4:38:08 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003607.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\

FileSize : 69 KB

Created on : 7/3/2004 9:15:41 AM

Last accessed : 7/30/2004 5:50:39 PM

Last modified : 7/3/2004 9:15:41 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003618.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\

FileSize : 89 KB

Created on : 9/25/2003 11:36:59 PM

Last accessed : 7/30/2004 5:50:39 PM

Last modified : 9/25/2003 11:36:59 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003619.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\

FileSize : 89 KB

Created on : 6/26/2004 1:10:12 PM

Last accessed : 7/30/2004 5:50:39 PM

Last modified : 6/26/2004 1:10:12 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003636.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP17\

FileSize : 9 KB

Created on : 7/4/2004 4:43:13 AM

Last accessed : 7/30/2004 5:50:40 PM

Last modified : 7/4/2004 4:43:13 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003645.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP17\

FileSize : 89 KB

Created on : 6/28/2004 5:27:31 PM

Last accessed : 7/30/2004 5:50:40 PM

Last modified : 6/28/2004 5:27:31 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003657.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\

FileSize : 9 KB

Created on : 7/2/2004 10:05:11 AM

Last accessed : 7/30/2004 5:50:42 PM

Last modified : 7/2/2004 10:05:11 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003658.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\

FileSize : 69 KB

Created on : 6/26/2004 1:20:06 PM

Last accessed : 7/30/2004 5:50:43 PM

Last modified : 6/26/2004 1:20:06 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003672.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\

FileSize : 69 KB

Created on : 7/12/2004 9:03:06 AM

Last accessed : 7/30/2004 5:50:43 PM

Last modified : 7/12/2004 9:03:06 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003694.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 9 KB

Created on : 7/5/2004 9:25:18 AM

Last accessed : 7/30/2004 5:50:43 PM

Last modified : 7/5/2004 9:25:18 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003695.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 5/21/2004 8:58:16 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 5/21/2004 8:58:16 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003696.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 26 KB

Created on : 7/2/2004 9:33:30 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 7/2/2004 9:33:30 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003697.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 6/27/2004 10:48:01 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 6/27/2004 10:48:01 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003698.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 26 KB

Created on : 6/9/2004 9:20:26 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 6/9/2004 9:20:26 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003699.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 6/12/2004 4:22:55 AM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 6/12/2004 4:22:55 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003700.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 6/19/2004 2:22:00 AM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 6/19/2004 2:22:00 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003701.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 7/1/2004 4:13:13 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 7/1/2004 4:13:13 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003702.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 26 KB

Created on : 7/3/2004 9:19:15 AM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 7/3/2004 9:19:15 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003704.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 7/7/2004 1:42:59 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 7/7/2004 1:42:59 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0003723.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\

FileSize : 69 KB

Created on : 7/7/2004 1:56:29 PM

Last accessed : 7/30/2004 5:50:44 PM

Last modified : 7/7/2004 1:56:29 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0004132.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP31\

FileSize : 69 KB

Created on : 6/16/2004 6:36:55 AM

Last accessed : 7/30/2004 5:50:57 PM

Last modified : 6/16/2004 6:36:55 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0004392.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP36\

FileSize : 69 KB

Created on : 6/25/2004 10:07:22 AM

Last accessed : 7/30/2004 5:51:05 PM

Last modified : 6/25/2004 10:07:22 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002035.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP6\

FileSize : 89 KB

Created on : 6/11/2004 7:24:43 AM

Last accessed : 7/30/2004 5:51:25 PM

Last modified : 6/11/2004 7:24:43 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002103.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 26 KB

Created on : 6/30/2004 11:22:34 PM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/30/2004 11:22:48 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002104.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 89 KB

Created on : 5/8/2004 11:20:27 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 5/8/2004 11:20:27 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002105.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 6/2/2004 3:17:14 PM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/2/2004 3:17:14 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002106.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 6/29/2004 11:24:27 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/29/2004 11:24:27 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002107.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 6/20/2004 9:48:57 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/20/2004 9:48:57 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002108.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 7/2/2004 1:08:36 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 7/2/2004 1:08:36 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002109.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 7/2/2004 1:08:38 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 7/2/2004 1:08:38 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002110.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 7/2/2004 1:08:49 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 7/2/2004 1:08:49 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002111.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 7/6/2004 1:24:01 AM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 7/6/2004 1:24:01 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002112.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 6/8/2004 5:43:52 PM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/8/2004 5:43:52 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002114.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 9 KB

Created on : 6/16/2004 10:42:13 PM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 6/16/2004 10:42:13 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002115.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 89 KB

Created on : 4/12/2004 5:06:15 PM

Last accessed : 7/30/2004 5:51:26 PM

Last modified : 4/12/2004 5:06:15 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : a0002123.exe

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\

FileSize : 26 KB

Created on : 6/5/2004 5:08:36 AM

Last accessed : 7/30/2004 5:51:27 PM

Last modified : 6/5/2004 5:08:36 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : javasy32.exe

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 6/22/2004 2:37:52 AM

Last accessed : 7/30/2004 5:53:56 PM

Last modified : 7/6/2004 10:08:59 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : msud32.exe

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 7/7/2004 4:51:21 PM

Last accessed : 7/30/2004 5:53:56 PM

Last modified : 7/7/2004 4:51:21 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : netwv32.exe

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 7/6/2004 6:56:14 PM

Last accessed : 7/30/2004 5:53:56 PM

Last modified : 7/6/2004 6:56:14 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : netxy.exe

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 7/8/2004 6:48:06 PM

Last accessed : 7/30/2004 5:53:57 PM

Last modified : 7/8/2004 6:48:06 PM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : xlxgz.dll

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 66 KB

Created on : 5/23/2004 1:27:58 AM

Last accessed : 7/30/2004 5:53:58 PM

Last modified : 5/23/2004 1:27:58 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : zhddi.dll

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 69 KB

Created on : 7/1/2004 7:17:29 AM

Last accessed : 7/30/2004 5:53:58 PM

Last modified : 7/1/2004 7:17:29 AM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 84

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : Software\

Share this post


Link to post
Share on other sites

Hi headshell,

 

There has been an update to HJT and AboutBuster since the last time you were here.

Your Ad-aware has the lastest update, good job.

 

Download About:Buster v2.0 from here: http://www.downloads.subratam.org/AboutBuster.zip

but don't run it yet.

Unzip all files from the zip folder to a folder or your desktop.

Start it and click ok.

Then click "Update". A new screen should popup.

On that screen click "Check for Updates".

If there is an update found, click "Download Updates".

If it doesnt find an update, it will automatically tell you and exit.

We will run it later.

_ _ _ _ _ _

 

First go to Add/Remove Programs

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

and Remove this (if there):

 

Viewpoint Media Player

 

Then close Control Panel.

_ _ _ _ _ _

 

Make sure you can view hidden and system files: hidden files

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

 

It might help to print this part out. Don't open Internet Explorer during any portion of this process.

 

Reboot to Safe mode (tap F8 while restarting).

 

Step 1:

 

Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

 

Step 2:

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these: (if they are there)

 

apiii32.exe

mfcnh.exe

javasy32.exe

msud32.exe

netwv32.exe

netxy.exe

 

viewmgr.exe

 

Then close task manager.

 

Step 3:

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhddi.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhddi.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zhddi.dll/sp.html#28129

 

O2 - BHO: (no name) - {9041DC7F-A546-4FA4-2F1E-B74E22A722FE} - C:\WINDOWS\system32\mfcnh.dll

 

O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

 

O4 - HKLM\..\RunOnce: [mshv.exe] C:\WINDOWS\system32\mshv.exe

O4 - HKLM\..\RunOnce: [msfl.exe] C:\WINDOWS\msfl.exe

O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe

O4 - HKLM\..\RunOnce: [d3et.exe] C:\WINDOWS\d3et.exe

O4 - HKLM\..\RunOnce: [crfk32.exe] C:\WINDOWS\crfk32.exe

O4 - HKLM\..\RunOnce: [nethk32.exe] C:\WINDOWS\system32\nethk32.exe

O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\apppm32.exe

O4 - HKLM\..\RunOnce: [netwg.exe] C:\WINDOWS\system32\netwg.exe

O4 - HKLM\..\RunOnce: [mfcmj.exe] C:\WINDOWS\system32\mfcmj.exe

O4 - HKLM\..\RunOnce: [atlmn.exe] C:\WINDOWS\atlmn.exe

O4 - HKLM\..\RunOnce: [apiuz.exe] C:\WINDOWS\system32\apiuz.exe

O4 - HKLM\..\RunOnce: [ntzz.exe] C:\WINDOWS\system32\ntzz.exe

O4 - HKLM\..\RunOnce: [winps.exe] C:\WINDOWS\winps.exe

O4 - HKLM\..\RunOnce: [netbk.exe] C:\WINDOWS\netbk.exe

O4 - HKLM\..\RunOnce: [crmp.exe] C:\WINDOWS\system32\crmp.exe

O4 - HKLM\..\RunOnce: [netjj.exe] C:\WINDOWS\netjj.exe

O4 - HKLM\..\RunOnce: [ierc32.exe] C:\WINDOWS\ierc32.exe

O4 - HKLM\..\RunOnce: [ntgz32.exe] C:\WINDOWS\ntgz32.exe

O4 - HKLM\..\RunOnce: [ipxk.exe] C:\WINDOWS\system32\ipxk.exe

O4 - HKLM\..\RunOnce: [netee32.exe] C:\WINDOWS\system32\netee32.exe

 

 

Now Close all open Windows (have only HJT open) and click "Fix Checked".

 

 

Step 4:

 

Then delete the following files:

 

C:\WINDOWS\msfl.exe

C:\WINDOWS\apiii32.exe

C:\WINDOWS\d3et.exe

C:\WINDOWS\crfk32.exe

C:\WINDOWS\apppm32.exe

C:\WINDOWS\atlmn.exe

C:\WINDOWS\winps.exe

C:\WINDOWS\netbk.exe

C:\WINDOWS\netjj.exe

C:\WINDOWS\ierc32.exe

C:\WINDOWS\ntgz32.exe

C:\WINDOWS\zhddi.dll

 

C:\WINDOWS\system32\mfcnh.dll

C:\WINDOWS\system32\mfcnh.exe

C:\WINDOWS\system32\ipxk.exe

C:\WINDOWS\system32\netee32.exe

C:\WINDOWS\system32\crmp.exe

C:\WINDOWS\system32\apiuz.exe

C:\WINDOWS\system32\ntzz.exe

C:\WINDOWS\system32\netwg.exe

C:\WINDOWS\system32\mfcmj.exe

C:\WINDOWS\system32\nethk32.exe

 

and The file found in step 1

 

And this folder:

 

C:\Program Files\Viewpoint\

 

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

 

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

 

Step 5:

 

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

 

__NS_Service

__NS_Service_2

__NS_Service_3

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

 

LEGACY___NS_Service

LEGACY___NS_Service_2

LEGACY___NS_Service_3

 

If you find it, right-click it in the right-pane and choose delete.

 

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

 

Step 6:

 

 

Then browse to the C:\documents and settings\<Your Profile> (repeat for all users)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Windows\Temp folder and delete all files in it.

This will delete all your cached internet content including cookies.

 

Then in internet explorer (when you get back to IE) click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Step 7:

 

Double click AboutBuster.exe that you downloaded earlier.

Hit start and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run About:Buster once more to make sure everything is ok.

 

Step 8:

 

Restore files deleted by this malware.

 

Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.

 

If you have Spybot S&D installed you will also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

If you are having any problems opening the control panel go here , and download control.exe per the instructions at the site.

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here http://www.jfitz.com/tips/ie_security_config.html .

 

Step 9:

 

Then, take a free on-line scan at HouseCall

 

Step 10:

 

Then, clean out your System Restore

Doing this will remove all your restore points.

 

Click Start > Settings > Control Panel.

Double-click the System icon.

On the Performance tab click File System.

Click the Troubleshooting tab

Then check Disable System Restore

Click OK.

Click Yes, when you are prompted to restart Windows.

 

After you have restarted, turn System Restore back on:

Click Start > Settings > Control Panel.

Double-click System.

On the Performance tab click File System.

On the Troubleshooting tab, uncheck Disable System Restore.

Click OK. Click Yes, when you are prompted to restart Windows.

 

After you restart, please post a new HJT log.

There is a newer version of HJT out now.

Open HJT, click Config... then Misc Tools, then Check for Update online, and get v1.98

Or you can get it here: HijackThis.exe

Share this post


Link to post
Share on other sites

This thing seems to be changing faster than I can remove the parts of it? Does it seem like we're getting anywhere?

 

Here's the latest HJT log.

 

Logfile of HijackThis v1.98.0

Scan saved at 11:09:51 AM, on 8/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\myCIO\Agent\myAgtSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TSIRCSRV.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\myCIO\VScan\McShield.exe

C:\WINDOWS\ipxv32.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\WINDOWS\myCIO\Agent\myagttry.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\nettg.exe

C:\WINDOWS\nettg.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wnvvt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipaw32.dll

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe

O4 - HKLM\..\Run: [ipxv32.exe] C:\WINDOWS\ipxv32.exe

O4 - HKLM\..\RunOnce: [ntpm32.exe] C:\WINDOWS\ntpm32.exe

O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe

O4 - HKLM\..\RunOnce: [ipkh.exe] C:\WINDOWS\ipkh.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://virusscanasap.mcafeeasap.com/VS2/bin/myCioAgt.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39

O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39

O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.2.211.dll

Share this post


Link to post
Share on other sites

Hi headshell

Autodad is on vacation this week and he asked if I would help you out while he is gone,

 

Sometimes this particular infection can be very frustrating to remove, it seems to just keep coming back from nowhere. So lets give it another shot.

 

First open about:buster and check for any new updates.

 

Then boot into safe mode .

 

Run another hijackthis scan. Place a check next to the following entries, then close all open windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wnvvt.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipaw32.dll

O4 - HKLM\..\Run: [ipxv32.exe] C:\WINDOWS\ipxv32.exe

O4 - HKLM\..\RunOnce: [ntpm32.exe] C:\WINDOWS\ntpm32.exe

O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe

O4 - HKLM\..\RunOnce: [ipkh.exe] C:\WINDOWS\ipkh.exe

Close hijackthis.

 

Then locate these files and delete them

C:\WINDOWS\system32\ipaw32.dll

C:\WINDOWS\ipxv32.exe

C:\WINDOWS\ntpm32.exe

C:\WINDOWS\nettg.exe

C:\WINDOWS\ipkh.exe

 

Then run an adaware scan.

 

Open About:buster hit start and then Ok. The program should start scanning. After it finishes scanning hen hit exit and reboot. After reboot post the report and a new Hijack this log here.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0