Jump to content


Photo

hijacked help please


  • Please log in to reply
9 replies to this topic

#1 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 July 2004 - 07:43 PM

I ran adaware and spybot search and destroy.
Thanks


Logfile of HijackThis v1.97.7
Scan saved at 4:10:52 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\system32\winnd.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\msud32.exe
C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
res://jaqbt.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
res://jaqbt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
res://jaqbt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
res://C:\WINDOWS\system32\jaqbt.dll/sp.html#28129
O2 - BHO: (no name) - {147B64BE-6EFA-DCA0-9281-0618E872C1A2} -
C:\WINDOWS\system32\winqu.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer
A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [winqu.exe] C:\WINDOWS\system32\winqu.exe
O4 - HKLM\..\Run: [msud32.exe] C:\WINDOWS\msud32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} -
http://virusscanasap...in/myCioAgt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:
NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:
NameServer =
O17 - HKLM\System\CS3\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}:
NameServer =

#2 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 July 2004 - 12:53 PM

and CWShredder. Homepage is res://rnrah.dll/index.html#28129
thx,

#3 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 09 July 2004 - 10:22 PM

Hello headshell,

Sorry for the wait. Try this:
Please download About:Buster and unzip it to your desktop.
Start it, hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

#4 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 July 2004 - 01:09 PM

Ok. Here we go.
thx,



-- Scan 1 --------
About:Buster Version 1.27
Removed! : C:\WINDOWS\apiwp.exe
Removed! : C:\WINDOWS\arrusi.dat
Removed! : C:\WINDOWS\aujnap.dat
Removed! : C:\WINDOWS\belcve.dat
Removed! : C:\WINDOWS\brwrs.dat
Removed! : C:\WINDOWS\bujqfo.dat
Removed! : C:\WINDOWS\corwau.dat
Removed! : C:\WINDOWS\drbtna.dat
Removed! : C:\WINDOWS\gauqjj.dat
Removed! : C:\WINDOWS\gdjjn.dat
Removed! : C:\WINDOWS\ggiwxq.dat
Removed! : C:\WINDOWS\hsibm.dll
Removed! : C:\WINDOWS\iadwyk.dat
Removed! : C:\WINDOWS\ibsfay.dat
Removed! : C:\WINDOWS\ieax32.exe
Removed! : C:\WINDOWS\ijgexz.dat
Removed! : C:\WINDOWS\iktcgy.dat
Removed! : C:\WINDOWS\joazrd.dat
Removed! : C:\WINDOWS\jrzfdb.dat
Removed! : C:\WINDOWS\kmrbkf.dat
Removed! : C:\WINDOWS\kndzbf.dat
Removed! : C:\WINDOWS\kuppcs.dat
Removed! : C:\WINDOWS\lcrbqh.dat
Removed! : C:\WINDOWS\lpkpm.dat
Removed! : C:\WINDOWS\lpkpm.dll
Removed! : C:\WINDOWS\lttiho.dat
Removed! : C:\WINDOWS\lwyham.dat
Removed! : C:\WINDOWS\mdhcrs.dat
Removed! : C:\WINDOWS\mfhlpz.dat
Removed! : C:\WINDOWS\msup.exe
Removed! : C:\WINDOWS\nhdeq.dll
Removed! : C:\WINDOWS\nhxfz.dat
Removed! : C:\WINDOWS\nofjjp.dat
Removed! : C:\WINDOWS\nrybtu.dat
Removed! : C:\WINDOWS\ntgyqd.dat
Removed! : C:\WINDOWS\nxcupc.dat
Removed! : C:\WINDOWS\n_corwau.dat
Removed! : C:\WINDOWS\ooryey.dat
Removed! : C:\WINDOWS\oymiah.dat
Removed! : C:\WINDOWS\pewsbk.dat
Removed! : C:\WINDOWS\qdlge.dat
Removed! : C:\WINDOWS\qippvr.dat
Removed! : C:\WINDOWS\qiuwsz.dat
Removed! : C:\WINDOWS\qnlazn.dat
Removed! : C:\WINDOWS\rrqvb.dll
Removed! : C:\WINDOWS\rxjmva.dat
Removed! : C:\WINDOWS\shzoaf.dat
Removed! : C:\WINDOWS\sijmui.dat
Removed! : C:\WINDOWS\slflff.dat
Removed! : C:\WINDOWS\slnnt.dat
Removed! : C:\WINDOWS\tacjih.dat
Removed! : C:\WINDOWS\tkrlnl.dat
Removed! : C:\WINDOWS\udmnwi.dat
Removed! : C:\WINDOWS\uvbmna.dat
Removed! : C:\WINDOWS\vjjrlu.dat
Removed! : C:\WINDOWS\vpndju.dat
Removed! : C:\WINDOWS\vtvcw.dat
Removed! : C:\WINDOWS\vvdrwg.dat
Removed! : C:\WINDOWS\wmcoyb.dat
Removed! : C:\WINDOWS\wqkcjk.dat
Removed! : C:\WINDOWS\xoyyo.dat
Removed! : C:\WINDOWS\xtqdc.dat
Removed! : C:\WINDOWS\xvtee.dat
Removed! : C:\WINDOWS\yguju.dat
Removed! : C:\WINDOWS\zehwk.dll
Removed! : C:\WINDOWS\zlaqlc.dat
Removed! : C:\WINDOWS\System32\appoy32.exe
Removed! : C:\WINDOWS\System32\bikgj.dat
Removed! : C:\WINDOWS\System32\czqxm.dat
Removed! : C:\WINDOWS\System32\dfuna.dat
Removed! : C:\WINDOWS\System32\eimjm.dat
Removed! : C:\WINDOWS\System32\eqeek.dat
Removed! : C:\WINDOWS\System32\gszku.dat
Removed! : C:\WINDOWS\System32\jaqbt.dat
Removed! : C:\WINDOWS\System32\mefif.dat
Removed! : C:\WINDOWS\System32\moykg.dat
Removed! : C:\WINDOWS\System32\qhkzj.dat
Removed! : C:\WINDOWS\System32\sxkzj.dat
Removed! : C:\WINDOWS\System32\veawh.dll
Removed! : C:\WINDOWS\System32\wiygp.dat
Removed! : C:\WINDOWS\System32\ywohj.dat
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-----------------------------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 11:06:27 AM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\apiii32.exe
C:\WINDOWS\system32\mfcnh.exe
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://veawh.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://veawh.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://veawh.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\veawh.dll/sp.html#28129
O2 - BHO: (no name) - {BC18EDB1-7152-4300-9435-4B195A2401DF} - C:\WINDOWS\system32\mfcsc.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [appoy32.exe] C:\WINDOWS\system32\appoy32.exe
O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [sdkka32.exe] C:\WINDOWS\system32\sdkka32.exe
O4 - HKLM\..\RunOnce: [sdklv.exe] C:\WINDOWS\system32\sdklv.exe
O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe
O4 - HKLM\..\RunOnce: [mspd.exe] C:\WINDOWS\mspd.exe
O4 - HKLM\..\RunOnce: [mshv32.exe] C:\WINDOWS\mshv32.exe
O4 - HKLM\..\RunOnce: [ipnd.exe] C:\WINDOWS\system32\ipnd.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39

#5 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 13 July 2004 - 05:56 PM

Hello headshell,

Let's try it this way. I know you have Ad-aware, so please set it up this way:

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).
___________

Now, reboot to Safe Mode (tap F8 while restarting).

Then open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {BC18EDB1-7152-4300-9435-4B195A2401DF} - C:\WINDOWS\system32\mfcsc.dll

O4 - HKLM\..\Run: [appoy32.exe] C:\WINDOWS\system32\appoy32.exe
O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe
O4 - HKLM\..\RunOnce: [sdkka32.exe] C:\WINDOWS\system32\sdkka32.exe
O4 - HKLM\..\RunOnce: [sdklv.exe] C:\WINDOWS\system32\sdklv.exe
O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe
O4 - HKLM\..\RunOnce: [mspd.exe] C:\WINDOWS\mspd.exe
O4 - HKLM\..\RunOnce: [mshv32.exe] C:\WINDOWS\mshv32.exe
O4 - HKLM\..\RunOnce: [ipnd.exe] C:\WINDOWS\system32\ipnd.exe



Now, make sure you Close all open Windows (have only HJT open) and click "Fix Checked".

- - - - - - - -

Then, while still in safe mode, run About:Buster.
Start it, (Don't worry about the pop-up that says to fix all random objects, we just did that)
Hit Ok, Start, And Ok to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

- - - - - - - -

Now run Ad-aware, while still in safe mode.

_________

Then, reboot normally and take a free on-line scan at HouseCall


After you do the above, please post a new HJT log, and your About Buster log.

#6 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 02:45 PM

Autodad,
Its been a couple weeks seen I've been able to get back to this but here we go.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

1st ad-aware log.

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, July 30, 2004 10:44:42 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R334 24.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R334 24.07.2004
Internal build : 268
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1316091 Bytes
Signature data size : 1295051 Bytes
Reference data size : 20976 Bytes
Signatures total : 28648
Target categories : 10
Target families : 528

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:63 %
Total physical memory:522240 kb
Available physical memory:324056 kb
Total page file size:1277048 kb
Available on page file:1123756 kb
Total virtual memory:2097024 kb
Available virtual memory:2053732 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-30-2004 10:44:42 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-30-2004 2:20:51 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:54 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:55 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 3/19/2004 10:42:30 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:42:30 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:55 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 3/19/2004 10:38:40 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:38:40 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:55 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 3/19/2004 10:43:22 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:43:22 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-30-2004 2:20:55 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 3/19/2004 10:43:22 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:43:22 PM

#:7 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:56 PM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 6/2/2003 4:01:26 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/2/2003 4:01:26 PM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:56 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 3/19/2004 10:43:06 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:43:06 PM

#:9 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:20:56 PM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 6/2/2003 3:56:02 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/2/2003 3:56:02 PM

#:10 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:21:02 PM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 3/19/2004 10:34:26 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:34:26 PM

#:11 [myagtsvc.exe]
FilePath : C:\WINDOWS\myCIO\Agent\
ThreadCreationTime : 7-30-2004 2:21:03 PM
BasePriority : Normal
FileSize : 68 KB
FileVersion : 2.7.2.211
ProductVersion : 2.7.2
CompanyName : Network Associates, Inc.
FileDescription : myAgtSvc Module
InternalName : myAgtSvc
OriginalFilename : myAgtSvc.exe
ProductName : McAfee
Created on : 6/30/2004 6:34:57 PM
Last accessed : 7/30/2004 5:31:25 PM
Last modified : 3/19/2004 9:07:20 AM

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-30-2004 2:21:06 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 3/19/2004 10:37:14 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:37:14 PM

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-30-2004 2:21:07 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 3/19/2004 10:43:22 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:43:22 PM

#:14 [tsircsrv.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-30-2004 2:21:07 PM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 14,500,3200,0
ProductVersion : 11,05,32,00
Copyright : Copyright
CompanyName : LapLink, Inc.
FileDescription : Remote Control Component
InternalName : TSIRCSRV
OriginalFilename : TSIRCSRV.EXE
ProductName : LAPLINK GOLD
Created on : 7/1/2004 3:13:31 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/19/2003 12:22:14 AM

#:15 [apiii32.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-30-2004 2:21:07 PM
BasePriority : Normal
FileSize : 9 KB
Created on : 6/19/2004 10:18:36 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/19/2004 10:18:36 PM

#:16 [mcshield.exe]
FilePath : C:\WINDOWS\myCIO\VScan\
ThreadCreationTime : 7-30-2004 2:21:12 PM
BasePriority : High
FileSize : 232 KB
FileVersion : 7.1.0.136
ProductVersion : 7.1.0
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : On-Access Scanner service
ProductName : VirusScan (Enterprise, ASaP & Retail.)
Created on : 6/30/2004 6:35:26 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 9:07:20 AM

#:17 [dlbkbmgr.exe]
FilePath : C:\Program Files\Dell AIO Printer A920\
ThreadCreationTime : 7-30-2004 2:21:34 PM
BasePriority : Normal
FileSize : 264 KB
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
CompanyName : Dell Computer Corporation
FileDescription : Dell AIO Printer A920Button Manager
InternalName : dlbkbmgr.exe
OriginalFilename : dlbkbmgr.exe
ProductName : Button Manager Executable
Created on : 6/2/2003 6:25:24 PM
Last accessed : 7/30/2004 5:20:53 PM
Last modified : 6/2/2003 6:25:24 PM

#:18 [myagttry.exe]
FilePath : C:\WINDOWS\myCIO\Agent\
ThreadCreationTime : 7-30-2004 2:21:34 PM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 2.8.0.201
ProductVersion : 2.8.0
CompanyName : Network Associates, Inc.
FileDescription : myAgtTry Module
InternalName : myAgtTry
OriginalFilename : myAgtTry.exe
ProductName : McAfee
Created on : 6/30/2004 6:34:57 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/28/2004 9:08:00 AM

#:19 [mfcnh.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:21:34 PM
BasePriority : Normal
FileSize : 26 KB
Created on : 6/15/2004 8:26:36 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/15/2004 8:26:36 PM

#:20 [viewmgr.exe]
FilePath : C:\Program Files\Viewpoint\Viewpoint Manager\
ThreadCreationTime : 7-30-2004 2:21:34 PM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1, 0, 0, 43
ProductVersion : 1, 0, 0, 43
Copyright : Copyright
CompanyName : Viewpoint Corporation
FileDescription : ViewMgr
InternalName : Viewpoint Manager
OriginalFilename : ViewMgr.exe
ProductName : Viewpoint Manager
Created on : 7/22/2004 11:24:59 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 4/19/2004 4:06:56 PM

#:21 [dlbkbmon.exe]
FilePath : C:\Program Files\Dell AIO Printer A920\
ThreadCreationTime : 7-30-2004 2:21:34 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
CompanyName : Dell Computer Corporation
FileDescription : Dell AIO Printer A920Button Monitor
InternalName : dlbkbmon.exe
OriginalFilename : dlbkbmon.exe
ProductName : Button Monitor Executable
Created on : 6/2/2003 6:50:58 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 6/2/2003 6:50:58 PM

#:22 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-30-2004 2:28:41 PM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 3/19/2004 10:34:24 PM
Last accessed : 7/30/2004 5:44:42 PM
Last modified : 3/19/2004 10:34:24 PM

#:23 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-30-2004 5:36:36 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/29/2004 11:04:29 PM
Last accessed : 7/30/2004 5:36:36 PM
Last modified : 7/13/2003 5:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zhddi.dll/index.html#28129"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://zhddi.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zhddi.dll/index.html#28129"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://zhddi.dll/index.html#28129"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://zhddi.dll/index.html#28129"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://zhddi.dll/index.html#28129"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 3
Objects found so far: 3


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-125304-989.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 3/27/2004 12:39:08 AM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 3/27/2004 12:39:08 AM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-150532-365.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 2/25/2004 12:28:47 PM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 2/25/2004 12:28:47 PM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-150705-153.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 2/25/2004 12:28:47 PM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 2/25/2004 12:28:47 PM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-151747-720.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 1/26/2004 12:18:25 AM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 1/26/2004 12:18:25 AM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-152249-540.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 12/26/2003 12:08:04 PM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 12/26/2003 12:08:04 PM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-160606-554.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 11/25/2003 11:57:42 PM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 11/25/2003 11:57:42 PM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040706-161145-180.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\
FileSize : 89 KB
Created on : 10/26/2003 11:47:21 AM
Last accessed : 7/30/2004 5:46:08 PM
Last modified : 10/26/2003 11:47:21 AM



CoolWebSearch Object recognized!
Type : File
Data : backup-20040701-124531-583.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Jeff Nichols\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\backups\
FileSize : 89 KB
Created on : 6/11/2004 7:24:43 AM
Last accessed : 7/30/2004 5:46:10 PM
Last modified : 6/11/2004 7:24:43 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002208.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 3/27/2004 12:39:08 AM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 3/27/2004 12:39:08 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002266.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 2/25/2004 12:28:47 PM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 2/25/2004 12:28:47 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002268.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 5/22/2004 2:27:30 PM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 5/22/2004 2:27:30 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002269.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 6/22/2004 2:37:52 AM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 6/22/2004 2:37:52 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002280.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 6/26/2004 1:10:12 PM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 6/26/2004 1:10:12 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002287.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 5/27/2004 12:59:51 AM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 5/27/2004 12:59:51 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002293.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 1/26/2004 12:18:25 AM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 1/26/2004 12:18:25 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002301.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 89 KB
Created on : 12/26/2003 12:08:04 PM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 12/26/2003 12:08:04 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002331.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 6/23/2004 5:40:59 PM
Last accessed : 7/30/2004 5:50:06 PM
Last modified : 6/23/2004 5:40:59 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002332.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 6/23/2004 11:08:16 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/23/2004 11:08:16 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002333.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 69 KB
Created on : 6/20/2004 7:54:22 PM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/20/2004 7:54:22 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002334.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 69 KB
Created on : 6/27/2004 1:32:39 PM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/27/2004 1:32:39 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002335.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 9 KB
Created on : 7/1/2004 2:20:37 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 7/1/2004 2:20:37 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002336.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 6/20/2004 3:51:00 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/20/2004 3:51:00 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002337.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 6/25/2004 1:08:37 PM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/25/2004 1:08:37 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002338.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 69 KB
Created on : 6/10/2004 12:38:12 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/10/2004 12:38:12 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002339.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 69 KB
Created on : 6/24/2004 8:44:02 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/24/2004 8:44:02 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002340.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 5/22/2004 2:27:30 PM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 5/22/2004 2:27:30 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002342.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 9 KB
Created on : 6/12/2004 7:28:52 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 6/12/2004 7:28:52 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002343.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 69 KB
Created on : 7/7/2004 7:53:50 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 7/7/2004 7:53:50 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002344.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 5/24/2004 5:30:38 AM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 5/24/2004 5:30:38 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002352.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP11\
FileSize : 26 KB
Created on : 7/2/2004 11:59:01 PM
Last accessed : 7/30/2004 5:50:07 PM
Last modified : 7/2/2004 11:59:01 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002365.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP12\
FileSize : 26 KB
Created on : 7/2/2004 5:34:43 AM
Last accessed : 7/30/2004 5:50:08 PM
Last modified : 7/2/2004 5:34:43 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002366.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP12\
FileSize : 69 KB
Created on : 7/7/2004 7:59:04 AM
Last accessed : 7/30/2004 5:50:08 PM
Last modified : 7/7/2004 7:59:04 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002374.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\
FileSize : 9 KB
Created on : 7/1/2004 9:06:27 PM
Last accessed : 7/30/2004 5:50:09 PM
Last modified : 7/1/2004 9:06:27 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002375.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\
FileSize : 69 KB
Created on : 7/2/2004 6:58:38 PM
Last accessed : 7/30/2004 5:50:09 PM
Last modified : 7/2/2004 6:58:38 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002392.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP14\
FileSize : 26 KB
Created on : 6/5/2004 11:07:23 AM
Last accessed : 7/30/2004 5:50:09 PM
Last modified : 6/5/2004 11:07:23 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002399.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\
FileSize : 9 KB
Created on : 7/4/2004 11:17:32 PM
Last accessed : 7/30/2004 5:50:10 PM
Last modified : 7/4/2004 11:17:32 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002400.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\
FileSize : 69 KB
Created on : 7/8/2004 10:01:11 AM
Last accessed : 7/30/2004 5:50:10 PM
Last modified : 7/8/2004 10:01:11 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002401.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP15\
FileSize : 26 KB
Created on : 5/21/2004 9:02:00 AM
Last accessed : 7/30/2004 5:50:10 PM
Last modified : 5/21/2004 9:02:00 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003595.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\
FileSize : 69 KB
Created on : 7/8/2004 10:10:34 AM
Last accessed : 7/30/2004 5:50:39 PM
Last modified : 7/8/2004 10:10:34 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003606.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\
FileSize : 9 KB
Created on : 6/13/2004 4:38:08 PM
Last accessed : 7/30/2004 5:50:39 PM
Last modified : 6/13/2004 4:38:08 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003607.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\
FileSize : 69 KB
Created on : 7/3/2004 9:15:41 AM
Last accessed : 7/30/2004 5:50:39 PM
Last modified : 7/3/2004 9:15:41 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003618.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\
FileSize : 89 KB
Created on : 9/25/2003 11:36:59 PM
Last accessed : 7/30/2004 5:50:39 PM
Last modified : 9/25/2003 11:36:59 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003619.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP16\
FileSize : 89 KB
Created on : 6/26/2004 1:10:12 PM
Last accessed : 7/30/2004 5:50:39 PM
Last modified : 6/26/2004 1:10:12 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003636.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP17\
FileSize : 9 KB
Created on : 7/4/2004 4:43:13 AM
Last accessed : 7/30/2004 5:50:40 PM
Last modified : 7/4/2004 4:43:13 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003645.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP17\
FileSize : 89 KB
Created on : 6/28/2004 5:27:31 PM
Last accessed : 7/30/2004 5:50:40 PM
Last modified : 6/28/2004 5:27:31 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003657.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\
FileSize : 9 KB
Created on : 7/2/2004 10:05:11 AM
Last accessed : 7/30/2004 5:50:42 PM
Last modified : 7/2/2004 10:05:11 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003658.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\
FileSize : 69 KB
Created on : 6/26/2004 1:20:06 PM
Last accessed : 7/30/2004 5:50:43 PM
Last modified : 6/26/2004 1:20:06 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003672.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP21\
FileSize : 69 KB
Created on : 7/12/2004 9:03:06 AM
Last accessed : 7/30/2004 5:50:43 PM
Last modified : 7/12/2004 9:03:06 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003694.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 9 KB
Created on : 7/5/2004 9:25:18 AM
Last accessed : 7/30/2004 5:50:43 PM
Last modified : 7/5/2004 9:25:18 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003695.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 5/21/2004 8:58:16 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 5/21/2004 8:58:16 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003696.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 26 KB
Created on : 7/2/2004 9:33:30 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 7/2/2004 9:33:30 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003697.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 6/27/2004 10:48:01 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 6/27/2004 10:48:01 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003698.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 26 KB
Created on : 6/9/2004 9:20:26 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 6/9/2004 9:20:26 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003699.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 6/12/2004 4:22:55 AM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 6/12/2004 4:22:55 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003700.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 6/19/2004 2:22:00 AM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 6/19/2004 2:22:00 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003701.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 7/1/2004 4:13:13 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 7/1/2004 4:13:13 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003702.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 26 KB
Created on : 7/3/2004 9:19:15 AM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 7/3/2004 9:19:15 AM



CoolWebSearch Object recognized!
Type : File
Data : a0003704.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 7/7/2004 1:42:59 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 7/7/2004 1:42:59 PM



CoolWebSearch Object recognized!
Type : File
Data : a0003723.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP22\
FileSize : 69 KB
Created on : 7/7/2004 1:56:29 PM
Last accessed : 7/30/2004 5:50:44 PM
Last modified : 7/7/2004 1:56:29 PM



CoolWebSearch Object recognized!
Type : File
Data : a0004132.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP31\
FileSize : 69 KB
Created on : 6/16/2004 6:36:55 AM
Last accessed : 7/30/2004 5:50:57 PM
Last modified : 6/16/2004 6:36:55 AM



CoolWebSearch Object recognized!
Type : File
Data : a0004392.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP36\
FileSize : 69 KB
Created on : 6/25/2004 10:07:22 AM
Last accessed : 7/30/2004 5:51:05 PM
Last modified : 6/25/2004 10:07:22 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002035.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP6\
FileSize : 89 KB
Created on : 6/11/2004 7:24:43 AM
Last accessed : 7/30/2004 5:51:25 PM
Last modified : 6/11/2004 7:24:43 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002103.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 26 KB
Created on : 6/30/2004 11:22:34 PM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/30/2004 11:22:48 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002104.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 89 KB
Created on : 5/8/2004 11:20:27 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 5/8/2004 11:20:27 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002105.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 6/2/2004 3:17:14 PM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/2/2004 3:17:14 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002106.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 6/29/2004 11:24:27 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/29/2004 11:24:27 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002107.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 6/20/2004 9:48:57 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/20/2004 9:48:57 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002108.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 7/2/2004 1:08:36 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 7/2/2004 1:08:36 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002109.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 7/2/2004 1:08:38 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 7/2/2004 1:08:38 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002110.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 7/2/2004 1:08:49 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 7/2/2004 1:08:49 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002111.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 7/6/2004 1:24:01 AM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 7/6/2004 1:24:01 AM



CoolWebSearch Object recognized!
Type : File
Data : a0002112.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 6/8/2004 5:43:52 PM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/8/2004 5:43:52 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002114.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 9 KB
Created on : 6/16/2004 10:42:13 PM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 6/16/2004 10:42:13 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002115.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 89 KB
Created on : 4/12/2004 5:06:15 PM
Last accessed : 7/30/2004 5:51:26 PM
Last modified : 4/12/2004 5:06:15 PM



CoolWebSearch Object recognized!
Type : File
Data : a0002123.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP8\
FileSize : 26 KB
Created on : 6/5/2004 5:08:36 AM
Last accessed : 7/30/2004 5:51:27 PM
Last modified : 6/5/2004 5:08:36 AM



CoolWebSearch Object recognized!
Type : File
Data : javasy32.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 6/22/2004 2:37:52 AM
Last accessed : 7/30/2004 5:53:56 PM
Last modified : 7/6/2004 10:08:59 PM



CoolWebSearch Object recognized!
Type : File
Data : msud32.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 7/7/2004 4:51:21 PM
Last accessed : 7/30/2004 5:53:56 PM
Last modified : 7/7/2004 4:51:21 PM



CoolWebSearch Object recognized!
Type : File
Data : netwv32.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 7/6/2004 6:56:14 PM
Last accessed : 7/30/2004 5:53:56 PM
Last modified : 7/6/2004 6:56:14 PM



CoolWebSearch Object recognized!
Type : File
Data : netxy.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 7/8/2004 6:48:06 PM
Last accessed : 7/30/2004 5:53:57 PM
Last modified : 7/8/2004 6:48:06 PM



CoolWebSearch Object recognized!
Type : File
Data : xlxgz.dll
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 66 KB
Created on : 5/23/2004 1:27:58 AM
Last accessed : 7/30/2004 5:53:58 PM
Last modified : 5/23/2004 1:27:58 AM



CoolWebSearch Object recognized!
Type : File
Data : zhddi.dll
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 69 KB
Created on : 7/1/2004 7:17:29 AM
Last accessed : 7/30/2004 5:53:58 PM
Last modified : 7/1/2004 7:17:29 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 84


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 4
Objects found so far: 88


10:53:59 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻ

#7 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 30 July 2004 - 07:19 PM

Hi headshell,

There has been an update to HJT and AboutBuster since the last time you were here.
Your Ad-aware has the lastest update, good job.

Download About:Buster v2.0 from here: http://www.downloads...AboutBuster.zip
but don't run it yet.
Unzip all files from the zip folder to a folder or your desktop.
Start it and click ok.
Then click "Update". A new screen should popup.
On that screen click "Check for Updates".
If there is an update found, click "Download Updates".
If it doesnt find an update, it will automatically tell you and exit.
We will run it later.
_ _ _ _ _ _

First go to Add/Remove Programs
Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
and Remove this (if there):

Viewpoint Media Player

Then close Control Panel.
_ _ _ _ _ _

Make sure you can view hidden and system files: hidden files

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


It might help to print this part out. Don't open Internet Explorer during any portion of this process.

Reboot to Safe mode (tap F8 while restarting).

Step 1:

Click on start, the control panel, then administrative programs, then services. Look for a service called Network Security Service. Double click on the that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these: (if they are there)

apiii32.exe
mfcnh.exe
javasy32.exe
msud32.exe
netwv32.exe
netxy.exe

viewmgr.exe


Then close task manager.

Step 3:

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhddi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhddi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zhddi.dll/sp.html#28129

O2 - BHO: (no name) - {9041DC7F-A546-4FA4-2F1E-B74E22A722FE} - C:\WINDOWS\system32\mfcnh.dll

O4 - HKLM\..\Run: [mfcnh.exe] C:\WINDOWS\system32\mfcnh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\RunOnce: [mshv.exe] C:\WINDOWS\system32\mshv.exe
O4 - HKLM\..\RunOnce: [msfl.exe] C:\WINDOWS\msfl.exe
O4 - HKLM\..\RunOnce: [apiii32.exe] C:\WINDOWS\apiii32.exe
O4 - HKLM\..\RunOnce: [d3et.exe] C:\WINDOWS\d3et.exe
O4 - HKLM\..\RunOnce: [crfk32.exe] C:\WINDOWS\crfk32.exe
O4 - HKLM\..\RunOnce: [nethk32.exe] C:\WINDOWS\system32\nethk32.exe
O4 - HKLM\..\RunOnce: [apppm32.exe] C:\WINDOWS\apppm32.exe
O4 - HKLM\..\RunOnce: [netwg.exe] C:\WINDOWS\system32\netwg.exe
O4 - HKLM\..\RunOnce: [mfcmj.exe] C:\WINDOWS\system32\mfcmj.exe
O4 - HKLM\..\RunOnce: [atlmn.exe] C:\WINDOWS\atlmn.exe
O4 - HKLM\..\RunOnce: [apiuz.exe] C:\WINDOWS\system32\apiuz.exe
O4 - HKLM\..\RunOnce: [ntzz.exe] C:\WINDOWS\system32\ntzz.exe
O4 - HKLM\..\RunOnce: [winps.exe] C:\WINDOWS\winps.exe
O4 - HKLM\..\RunOnce: [netbk.exe] C:\WINDOWS\netbk.exe
O4 - HKLM\..\RunOnce: [crmp.exe] C:\WINDOWS\system32\crmp.exe
O4 - HKLM\..\RunOnce: [netjj.exe] C:\WINDOWS\netjj.exe
O4 - HKLM\..\RunOnce: [ierc32.exe] C:\WINDOWS\ierc32.exe
O4 - HKLM\..\RunOnce: [ntgz32.exe] C:\WINDOWS\ntgz32.exe
O4 - HKLM\..\RunOnce: [ipxk.exe] C:\WINDOWS\system32\ipxk.exe
O4 - HKLM\..\RunOnce: [netee32.exe] C:\WINDOWS\system32\netee32.exe



Now Close all open Windows (have only HJT open) and click "Fix Checked".


Step 4:

Then delete the following files:

C:\WINDOWS\msfl.exe
C:\WINDOWS\apiii32.exe
C:\WINDOWS\d3et.exe
C:\WINDOWS\crfk32.exe
C:\WINDOWS\apppm32.exe
C:\WINDOWS\atlmn.exe
C:\WINDOWS\winps.exe
C:\WINDOWS\netbk.exe
C:\WINDOWS\netjj.exe
C:\WINDOWS\ierc32.exe
C:\WINDOWS\ntgz32.exe
C:\WINDOWS\zhddi.dll

C:\WINDOWS\system32\mfcnh.dll
C:\WINDOWS\system32\mfcnh.exe
C:\WINDOWS\system32\ipxk.exe
C:\WINDOWS\system32\netee32.exe
C:\WINDOWS\system32\crmp.exe
C:\WINDOWS\system32\apiuz.exe
C:\WINDOWS\system32\ntzz.exe
C:\WINDOWS\system32\netwg.exe
C:\WINDOWS\system32\mfcmj.exe
C:\WINDOWS\system32\nethk32.exe

and The file found in step 1

And this folder:

C:\Program Files\Viewpoint\

Also delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 5:

Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3


If any are listed, right-click that entry in the right pane and choose Delete.

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3


If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or some other name that starts with LEGACY__NS_SERVICE) to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Step 6:


Then browse to the C:\documents and settings\<Your Profile> (repeat for all users)\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
This will delete all your cached internet content including cookies.

Then in internet explorer (when you get back to IE) click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Step 7:

Double click AboutBuster.exe that you downloaded earlier.
Hit start and then Ok. The program should start scanning. Then hit exit and reboot.
Once rebooted run About:Buster once more to make sure everything is ok.

Step 8:

Restore files deleted by this malware.

Download the Hoster from here Press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

If you are having any problems opening the control panel go here , and download control.exe per the instructions at the site.

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here http://www.jfitz.com...ity_config.html .

Step 9:

Then, take a free on-line scan at HouseCall

Step 10:

Then, clean out your System Restore
Doing this will remove all your restore points.

Click Start > Settings > Control Panel.
Double-click the System icon.
On the Performance tab click File System.
Click the Troubleshooting tab
Then check Disable System Restore
Click OK.
Click Yes, when you are prompted to restart Windows.

After you have restarted, turn System Restore back on:
Click Start > Settings > Control Panel.
Double-click System.
On the Performance tab click File System.
On the Troubleshooting tab, uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

After you restart, please post a new HJT log.
There is a newer version of HJT out now.
Open HJT, click Config... then Misc Tools, then Check for Update online, and get v1.98
Or you can get it here: HijackThis.exe

#8 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 August 2004 - 01:21 PM

This thing seems to be changing faster than I can remove the parts of it? Does it seem like we're getting anywhere?

Here's the latest HJT log.

Logfile of HijackThis v1.98.0
Scan saved at 11:09:51 AM, on 8/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\myCIO\Agent\myAgtSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\myCIO\VScan\McShield.exe
C:\WINDOWS\ipxv32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\myCIO\Agent\myagttry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\nettg.exe
C:\WINDOWS\nettg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Jeff Nichols\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wnvvt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipaw32.dll
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\myagttry.exe
O4 - HKLM\..\Run: [ipxv32.exe] C:\WINDOWS\ipxv32.exe
O4 - HKLM\..\RunOnce: [ntpm32.exe] C:\WINDOWS\ntpm32.exe
O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe
O4 - HKLM\..\RunOnce: [ipkh.exe] C:\WINDOWS\ipkh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} - http://virusscanasap...in/myCioAgt.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{B422B162-5A15-4DA7-B438-50DA6BBBD3C3}: NameServer = 151.197.0.38,151.197.0.39
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\WINDOWS\myCIO\Agent\myRmProt2.7.2.211.dll

#9 headshell

headshell

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 August 2004 - 01:45 PM

I'm also getting an error "windows had a problem with ipkh.exe" multiple times.
thx

#10 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 04 August 2004 - 04:22 PM

Hi headshell
Autodad is on vacation this week and he asked if I would help you out while he is gone,

Sometimes this particular infection can be very frustrating to remove, it seems to just keep coming back from nowhere. So lets give it another shot.

First open about:buster and check for any new updates.

Then boot into safe mode .

Run another hijackthis scan. Place a check next to the following entries, then close all open windows and click the fix button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wnvvt.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://wnvvt.dll/index.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wnvvt.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {15F23213-9CF2-EAE8-257C-69A75EC75BC0} - C:\WINDOWS\system32\ipaw32.dll
O4 - HKLM\..\Run: [ipxv32.exe] C:\WINDOWS\ipxv32.exe
O4 - HKLM\..\RunOnce: [ntpm32.exe] C:\WINDOWS\ntpm32.exe
O4 - HKLM\..\RunOnce: [nettg.exe] C:\WINDOWS\nettg.exe
O4 - HKLM\..\RunOnce: [ipkh.exe] C:\WINDOWS\ipkh.exe

Close hijackthis.

Then locate these files and delete them
C:\WINDOWS\system32\ipaw32.dll
C:\WINDOWS\ipxv32.exe
C:\WINDOWS\ntpm32.exe
C:\WINDOWS\nettg.exe
C:\WINDOWS\ipkh.exe

Then run an adaware scan.

Open About:buster hit start and then Ok. The program should start scanning. After it finishes scanning hen hit exit and reboot. After reboot post the report and a new Hijack this log here.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button