• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Veeduber

CoolWebSearch...Removed?

2 posts in this topic

Hey Folks -

 

I recently was infected with CoolWeb Search. I spoke with a few techs moderating the Comcast support forum, and they had me run several utilities to help diagnose & clean my machine.

 

The Malware was trouble to get rid of, and returned errors in the removal logs. A tech that was helping me, JohnD, asked me to post my logs on this form to hopefully figure out if my machine is truely clean, and to inform this forum of any changes that this Malware has undergone.

 

Below are my logs...

 

I have been infected with Cool Web Search. It is killing me! I have downloaded & run Ad Aware, Spybot, Spykiller(which I removed) & HyjackThis! Here is the log from Hyjack This:--V Please advise. All of these scanners work, until the browser is closed(sometimes it works for a few closes) Hyjack this displays the results & allows me to decide which is clean & not. I hope this forum can help!

 

Logfile of HijackThis v1.97.7

Scan saved at 11:01:46 AM, on 6/26/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogo n.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\P rogram Files\Ahead\InCD\InCDsrv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.ex e

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINNT\system 32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBE M\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\s vchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINNT\Expl orer.EXE

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\hkcmd. exe

C:\WINNT\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshl d.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafe e.com\vso\mcvsescn.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe< br>C:\WINNT\system32\ctfmon.exe

C:\Program Files\Access97\Office\OSA.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MpfA gent.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\kfa\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Access97\Office\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ComcastHSI (HKLM)

O9 - Extra button: Support (HKLM)

O9 - Extra button: Help (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

 

All of these scanners work, until the browser is closed(sometimes it works for a few closes) Hyjack this displays the results & allows me to decide which is clean & not. I hope this forum can hwlp!

 

 

Message was edited by: Michael (ComcastOnline)

 

Moved to a new thread.

 

 

 

 

TNTaangela Re: READ THIS FIRST IF YOU'VE BEEN HIJACKED HAVE SPYWARE OR YOUR PC'S INFEC Jun 26, 2004 5:00 PM

 

Posts: 1,474 From: Nashville, TN

Registered: Oct 1, 2003

Reply

 

You need to start a new thread and post your HJT log into it. That way there is no confusion. Also, click the Settings at the top of the forum and get a username. Again, to cut down on confusion.

 

 

 

CajunTek Re: Infected with CoolWebSearch Jun 26, 2004 8:49 PM

 

Posts: 3,056 From: Arlington Texas

Registered: Oct 7, 2003

Reply

 

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm Do not run it yet!!!

Scan with hijackthis and fix the following lines

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KALBRE~1\LOCALS~1\Temp\sp.html

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

 

THIS IS THE BHO FOR THE FIX IN THE APM PROGRAM

O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll

 

Then start APM.

In the upper window select explorer.exe

In the lower window find and rightclick the BHO from the HijackThis log

Select Unload DLL and click OK on the prompts that follow.

 

Scan with ad-aware again and set it up for a fullscan per the linked procedure..

 

Scan again with hijackthis and post a new log..

 

 

 

VeeDuber Re: Infected with CoolWebSearch - Updated Jun 28, 2004 9:48 PM

 

Posts: 10 From: Renton

Registered: Jun 22, 2004

Reply

 

OK, CajunTek -

 

Thanks for the reply. I followed all of your direction, except for the following:

 

In the upper window select explorer.exe

In the lower window find and rightclick the BHO from the HijackThis log

Select Unload DLL and click OK on the prompts that follow.

 

 

In the APM application, BHO was not listed with explorer.exe selected. I did close the hijack this program once I cleaned the files per your instruction. Hijack this did not even show up in the folder list.

 

I ran adaware again, and although it showed 12 items, 10 of the twelve were tracking cookies. Two were the about:blank item registry entries.

 

So here are my log files. First the Adaware log:

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Monday, June 28, 2004 6:31:52 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R324 22.06.2004

______________________________________________________< br>

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R324 22.06.2004

Internal build : 256

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 1265402 Bytes

Signature data size : 1244925 Bytes

Reference data size : 20413 Bytes

Signatures total : 27677

Target categories : 10

Target families : 506

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:42 %

Total physical memory:514864 kb

Available physical memory:214832 kb

Total page file size:1257388 kb

Available on page file:910240 kb

Total virtual memory:2097024 kb

Available virtual memory:2051788 kb

OS:Windows 2000

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

6-28-2004 6:31:52 PM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ThreadCreationTime : 6-29-2004 1:01:28 AM

BasePriority : Normal

 

 

#:2 [winlogon.exe]

FilePath : \??\C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:39 AM

BasePriority : High

 

 

#:3 [services.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:41 AM

BasePriority : Normal

FileSize : 87 KB

FileVersion : 5.00.2195.6700

ProductVersion : 5.00.2195.6700

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

OriginalFilename : services.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:27 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:4 [lsass.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:41 AM

BasePriority : Normal

FileSize : 32 KB

FileVersion : 5.00.2195.6902

ProductVersion : 5.00.2195.6902

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : LSA Executable and Server DLL (Export Version)

InternalName : lsasrv.dll and lsass.exe

OriginalFilename : lsasrv.dll and lsass.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:27 AM

Last modified : 2/25/2004 11:59:07 PM

 

#:5 [svchost.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:44 AM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:29 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:6 [spoolsv.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:44 AM

BasePriority : Normal

FileSize : 44 KB

FileVersion : 5.00.2195.6659

ProductVersion : 5.00.2195.6659

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolss.exe

OriginalFilename : spoolss.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 2/20/2004 4:11:25 PM

Last accessed : 6/29/2004 12:43:30 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:7 [svchost.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:45 AM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:29 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:8 [hidserv.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:45 AM

BasePriority : Normal

FileSize : 19 KB

FileVersion : 5.00.2195.6655

ProductVersion : 5.00.2195.6655

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : HID Audio Service

InternalName : hidserv

OriginalFilename : HIDSERV.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 2/26/2004 5:43:25 PM

Last accessed : 6/29/2004 12:43:35 AM

Last modified : 6/19/2003 8:05:04 PM

 

#:9 [incdsrv.exe]

FilePath : C:\Program Files\Ahead\InCD\

ThreadCreationTime : 6-29-2004 1:01:46 AM

BasePriority : Normal

FileSize : 780 KB

FileVersion : 4, 0, 5, 4

ProductVersion : 4, 0, 5, 4

Copyright : Copyright

CompanyName : AHEAD Software

FileDescription : incdsrv

InternalName : incdsrv

OriginalFilename : incdsrv.exe

ProductName : AHEAD Software incdsrv

Created on : 2/21/2004 2:30:50 AM

Last accessed : 6/29/2004 12:43:36 AM

Last modified : 9/1/2003 1:32:08 PM

 

#:10 [mcvsrte.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ThreadCreationTime : 6-29-2004 1:01:51 AM

BasePriority : Normal

FileSize : 104 KB

FileVersion : 8, 0, 0, 12

ProductVersion : 8, 0, 0, 0

Copyright : Copyright

CompanyName : Networks Associates Technology, Inc

FileDescription : McAfee VirusScan Real-time Engine

InternalName : mcvsrte

OriginalFilename : mcvsrte.exe

ProductName : McAfee VirusScan

Created on : 6/23/2004 1:37:35 AM

Last accessed : 6/29/2004 1:02:56 AM

Last modified : 8/9/2003 1:04:38 AM

 

#:11 [mpfservice.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ThreadCreationTime : 6-29-2004 1:01:54 AM

BasePriority : Normal

FileSize : 492 KB

FileVersion : 4.1.0.1

ProductVersion : 4.1.0.1

Copyright : Copyright

CompanyName : McAfee Corporation

FileDescription : McAfee Personal Firewall Service

InternalName : MPFService

OriginalFilename : MpfService.exe

ProductName : McAfee Personal Firewall

Created on : 6/23/2004 1:45:16 AM

Last accessed : 6/29/2004 1:01:54 AM

Last modified : 9/2/2003 9:00:00 PM

 

#:12 [regsvc.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:55 AM

BasePriority : Normal

FileSize : 66 KB

FileVersion : 5.00.2195.6701

ProductVersion : 5.00.2195.6701

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Remote Registry Service

InternalName : regsvc

OriginalFilename : REGSVC.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:38 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:13 [mstask.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:56 AM

BasePriority : Normal

FileSize : 116 KB

FileVersion : 4.71.2195.6704

ProductVersion : 4.71.2195.6704

Copyright : Copyright © Microsoft Corp. 1997

CompanyName : Microsoft Corporation

FileDescription : Task Scheduler Engine

InternalName : TaskScheduler

OriginalFilename : mstask.exe

ProductName : Microsoft

Created on : 2/21/2004 12:28:39 AM

Last accessed : 6/29/2004 1:03:11 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:14 [winmgmt.exe]

FilePath : C:\WINNT\System32\WBEM\

ThreadCreationTime : 6-29-2004 1:01:57 AM

BasePriority : Normal

FileSize : 192 KB

FileVersion : 1.50.1085.0100

ProductVersion : 1.50.1085.0100

Copyright : Copyright © Microsoft Corp. 1995-1999

CompanyName : Microsoft Corporation

FileDescription : Windows Management Instrumentation

InternalName : WINMGMT

ProductName : Windows Management Instrumentation

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:39 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:15 [mspmspsv.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:57 AM

BasePriority : Normal

FileSize : 52 KB

FileVersion : 7.01.00.3055

ProductVersion : 7.01.00.3055

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : WMDM PMSP Service

InternalName : MSPMSPSV.EXE

OriginalFilename : MSPMSPSV.EXE

ProductName : Microsoft ® DRM

Created on : 6/3/2004 2:50:05 AM

Last accessed : 6/29/2004 12:43:39 AM

Last modified : 5/2/2001 12:06:22 AM

 

#:16 [svchost.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:01:57 AM

BasePriority : Normal

FileSize : 7 KB

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

OriginalFilename : svchost.exe

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 12:43:29 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:17 [mcshield.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ThreadCreationTime : 6-29-2004 1:02:07 AM

BasePriority : High

FileSize : 224 KB

Created on : 6/23/2004 1:37:34 AM

Last accessed : 6/29/2004 1:02:07 AM

Last modified : 3/13/2002 3:50:26 PM

 

#:18 [explorer.exe]

FilePath : C:\WINNT\

ThreadCreationTime : 6-29-2004 1:02:27 AM

BasePriority : Normal

FileSize : 237 KB

FileVersion : 5.00.3700.6690

ProductVersion : 5.00.3700.6690

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 7/14/2003 12:00:00 PM

Last accessed : 6/29/2004 1:02:27 AM

Last modified : 7/14/2003 12:00:00 PM

 

#:19 [igfxtray.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:02:36 AM

BasePriority : Normal

FileSize : 152 KB

FileVersion : 3,0,0,2104

ProductVersion : 7,0,0,2104

Copyright : Copyright 1999-2003, Intel Corporation

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

OriginalFilename : IGFXTRAY.EXE

ProductName : Intel® Common User Interface

Created on : 2/21/2004 2:18:29 AM

Last accessed : 6/29/2004 12:44:14 AM

Last modified : 4/6/2003 4:19:52 PM

 

#:20 [hkcmd.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:02:36 AM

BasePriority : Normal

FileSize : 112 KB

FileVersion : 3,0,0,2104

ProductVersion : 7,0,0,2104

Copyright : Copyright 1999-2003, Intel Corporation

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

OriginalFilename : HKCMD.EXE

ProductName : Intel® Common User Interface

Created on : 2/21/2004 2:18:24 AM

Last accessed : 6/29/2004 12:44:15 AM

Last modified : 4/6/2003 4:07:38 PM

 

#:21 [soundman.exe]

FilePath : C:\WINNT\

ThreadCreationTime : 6-29-2004 1:02:36 AM

BasePriority : Normal

FileSize : 61 KB

FileVersion : 5.1.14

ProductVersion : 5.1.14

Copyright : Copyright © 2001-2003 Realtek Semiconductor Corp.

CompanyName : Realtek Semiconductor Corp.

FileDescription : Realtek Sound Manager

InternalName : ALSMTray

OriginalFilename : ALSMTray.exe

ProductName : Realtek Sound Manager

Created on : 2/21/2004 2:19:14 AM

Last accessed : 6/29/2004 12:44:15 AM

Last modified : 11/13/2003 10:23:52 AM

 

#:22 [incd.exe]

FilePath : C:\Program Files\Ahead\InCD\

ThreadCreationTime : 6-29-2004 1:02:38 AM

BasePriority : Normal

FileSize : 1172 KB

FileVersion : 4, 0, 5, 4

ProductVersion : 4, 0, 5, 4

Copyright : Copyright © 2003 Ahead Software and its licensors

CompanyName : Ahead Software AG

FileDescription : InCD

InternalName : InCD

OriginalFilename : InCD.exe

ProductName : InCD

Created on : 2/21/2004 2:30:48 AM

Last accessed : 6/29/2004 12:44:18 AM

Last modified : 9/1/2003 1:32:36 PM

 

#:23 [tgcmd.exe]

FilePath : C:\Program Files\support.com\bin\

ThreadCreationTime : 6-29-2004 1:02:39 AM

BasePriority : Normal

FileSize : 1508 KB

FileVersion : 5,5,402,0

ProductVersion : 5,5,402,0

Copyright : Copyright 1997-2069 Support.com

CompanyName : Support.com, Inc.

FileDescription : Support.com Scheduler and Command Dispatcher

InternalName : TGCMD

OriginalFilename : TGCMD.EXE

ProductName : Support.com Scheduler and Command Dispatcher

Created on : 4/24/2002 7:55:54 PM

Last accessed : 6/29/2004 12:44:21 AM

Last modified : 4/25/2002 1:37:43 AM

 

#:24 [mcvsshld.exe]

FilePath : C:\PROGRA~1\mcafee.com\vso\

ThreadCreationTime : 6-29-2004 1:02:41 AM

BasePriority : Normal

FileSize : 160 KB

FileVersion : 8, 0, 0, 15

ProductVersion : 8, 0, 0, 0

Copyright : Copyright

CompanyName : Networks Associates Technology, Inc

FileDescription : McAfee VirusScan ActiveShield Resource

InternalName : msvcshld

OriginalFilename : mcvsshld.exe

ProductName : McAfee VirusScan

Created on : 6/23/2004 1:37:35 AM

Last accessed : 6/29/2004 1:02:41 AM

Last modified : 8/18/2003 4:50:34 AM

 

#:25 [mcagent.exe]

FilePath : C:\PROGRA~1\mcafee.com\agent\

ThreadCreationTime : 6-29-2004 1:02:42 AM

BasePriority : Normal

FileSize : 240 KB

FileVersion : 4, 3, 0, 27

ProductVersion : 4, 3, 0, 0

Copyright : Copyright

CompanyName : Networks Associates Technology, Inc

FileDescription : McAfee SecurityCenter Agent

InternalName : mcagent

OriginalFilename : mcagent.exe

ProductName : McAfee SecurityCenter

Created on : 6/23/2004 1:37:33 AM

Last accessed : 6/29/2004 1:02:42 AM

Last modified : 12/8/2003 10:38:52 PM

 

#:26 [mcvsescn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ThreadCreationTime : 6-29-2004 1:02:43 AM

BasePriority : Normal

FileSize : 408 KB

FileVersion : 8, 0, 0, 30

ProductVersion : 8, 0, 0, 0

Copyright : Copyright

CompanyName : Networks Associates Technology, Inc

FileDescription : McAfee VirusScan E-mail Scan Module

InternalName : mcvsescn

OriginalFilename : mcvsescn.EXE

ProductName : McAfee VirusScan

Created on : 6/23/2004 1:37:36 AM

Last accessed : 6/29/2004 1:23:32 AM

Last modified : 4/29/2004 12:55:12 AM

 

#:27 [jusched.exe]

FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\

ThreadCreationTime : 6-29-2004 1:02:43 AM

BasePriority : Normal

FileSize : 32 KB

Created on : 2/23/2068 6:44:46 AM

Last accessed : 6/29/2004 12:44:29 AM

Last modified : 2/23/2004 6:44:44 AM

 

#:28 [mpftray.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ThreadCreationTime : 6-29-2004 1:02:44 AM

BasePriority : Normal

FileSize : 1348 KB

FileVersion : 5.0.1.5

ProductVersion : 5.0.1.5

Copyright : Copyright

CompanyName : McAfee Security

FileDescription : McAfee Personal Firewall Tray Monitor

InternalName : MpfTray

OriginalFilename : MPFTRAY.EXE

ProductName : McAfee Personal Firewall (MPF)

Created on : 6/23/2004 1:45:17 AM

Last accessed : 6/29/2004 1:03:33 AM

Last modified : 3/24/2004 10:56:00 PM

 

#:29 [ctfmon.exe]

FilePath : C:\WINNT\system32\

ThreadCreationTime : 6-29-2004 1:02:47 AM

BasePriority : Normal

FileSize : 8 KB

FileVersion : 1.00.2409.7 built by: Lab06_N

ProductVersion : 1.00.2409.7

Copyright : Copyright © Microsoft Corporation. 1981-2001

CompanyName : Microsoft Corporation

FileDescription : Cicero Loader

InternalName : CICLOAD

OriginalFilename : CICLOAD.EXE

ProductName : Microsoft® Windows NT® Operating System

Created on : 2/20/2001 8:09:54 PM

Last accessed : 6/29/2004 12:44:29 AM

Last modified : 2/20/2001 8:09:54 PM

 

#:30 [mfindexer.exe]

FilePath : C:\Corel\Graphics8\Programs\

ThreadCreationTime : 6-29-2004 1:02:48 AM

BasePriority : Normal

FileSize : 81 KB

FileVersion : 8.232

ProductVersion : 8.232

Copyright : Copyright

CompanyName : Corel Corporation

FileDescription : Utility which indexes Corel Media Folders

InternalName : Corel Media Indexer

OriginalFilename : MFIndexer.exe

ProductName : CorelDRAW

Created on : 5/8/2004 4:39:06 PM

Last accessed : 6/29/2004 12:44:31 AM

Last modified : 11/7/1997 5:55:46 PM

 

#:31 [osa.exe]

FilePath : C:\Program Files\Access97\Office\

ThreadCreationTime : 6-29-2004 1:02:50 AM

BasePriority : Normal

FileSize : 60 KB

Created on : 7/11/1997 7:00:00 AM

Last accessed : 6/29/2004 12:44:32 AM

Last modified : 7/11/1997 7:00:00 AM

 

#:32 [winword.exe]

FilePath : C:\Program Files\Microsoft Office\Office\

ThreadCreationTime : 6-29-2004 1:02:50 AM

BasePriority : Normal

FileSize : 8592 KB

FileVersion : 9.0.2717

ProductVersion : 9.0.2717

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Word for Windows

InternalName : WinWord

OriginalFilename : WinWord.exe

ProductName : Microsoft Office 2000

Created on : 3/18/1999 5:38:10 AM

Last accessed : 6/29/2004 1:02:50 AM

Last modified : 3/18/1999 5:38:10 AM

 

#:33 [mpfagent.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ThreadCreationTime : 6-29-2004 1:02:57 AM

BasePriority : Normal

FileSize : 556 KB

FileVersion : 5.1.0.8

ProductVersion : 5.1.0.8

Copyright : Copyright

CompanyName : McAfee Security

FileDescription : McAfee Personal Firewall Agent Interface

InternalName : MpfAgent

OriginalFilename : MPFAGENT.EXE

ProductName : McAfee Personal Firewall (MPF)

Created on : 6/23/2004 1:45:17 AM

Last accessed : 6/29/2004 1:02:57 AM

Last modified : 6/7/2004 5:42:20 PM

 

#:34 [tgagentm.exe]

FilePath : C:\Program Files\support.com\comcastsupport\

ThreadCreationTime : 6-29-2004 1:06:53 AM

BasePriority : Normal

FileSize : 1140 KB

FileVersion : 5, 5, 402, 1

ProductVersion : 5, 5, 402, 1

Copyright : Copyright 1997-2069 Support.com

CompanyName : Support.com, Inc.

FileDescription : ComcastSUPPORT Agent

InternalName : TGAGENTM

OriginalFilename : TGAGENTM.EXE

ProductName : ComcastSupport Agent

Created on : 7/26/2002 1:41:26 AM

Last accessed : 6/29/2004 1:06:55 AM

Last modified : 9/11/2002 9:55:42 PM

 

#:35 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ThreadCreationTime : 6-29-2004 1:08:57 AM

BasePriority : Normal

FileSize : 89 KB

FileVersion : 6.00.2800.1106

ProductVersion : 6.00.2800.1106

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

OriginalFilename : IEXPLORE.EXE

ProductName : Microsoft

Created on : 8/29/2002 3:14:40 PM

Last accessed : 6/29/2004 1:08:57 AM

Last modified : 8/29/2002 3:14:40 PM

 

#:36 [outlook.exe]

FilePath : C:\Program Files\Microsoft Office\Office\

ThreadCreationTime : 6-29-2004 1:12:47 AM

BasePriority : Normal

FileSize : 56 KB

FileVersion : 9.0.2416

ProductVersion : 9.0.2416

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Outlook

InternalName : Outlook

OriginalFilename : Outlook.exe

ProductName : Microsoft Outlook

Created on : 12/16/1998 9:09:20 PM

Last accessed : 6/29/2004 1:12:47 AM

Last modified : 12/16/1998 9:09:20 PM

 

#:37 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-aware 6\

ThreadCreationTime : 6-29-2004 1:25:49 AM

BasePriority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 6/26/2004 12:43:04 AM

Last accessed : 6/29/2004 1:25:49 AM

Last modified : 7/13/2003 4:00:20 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "about:blank"

Category : Data Miner

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "about:blank"

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 2

Objects found so far: 2

 

 

Deep scanning and examining files (C

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

Type : File

Data : administrator@atdmt[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\Administrator\Cookies\

 

Created on : 6/26/2004 6:44:51 PM

Last accessed : 6/29/2004 1:32:52 AM

Last modified : 6/26/2004 6:44:51 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@0[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:56:05 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:56:05 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@2o7[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:46:52 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 3:10:57 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@ads.addynamix[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

FileSize : 1 KB

Created on : 6/28/2004 2:56:04 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:57:27 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@cgi-bin[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 3:46:13 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 3:46:13 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@overture[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:47:31 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 12:24:23 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@qksrv[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:57:27 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:57:27 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@server.iad.liveperson[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:51:28 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:51:28 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@tmpad[1].txt

Category : Data Miner

Comment : www.searchtraffic.com

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:33:53 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:33:53 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@trafficmp[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:33:53 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:33:53 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@tribalfusion[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 2:57:26 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 2:57:26 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : kalbrecht@www.maximumcash[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\kalbrecht\Cookies\

 

Created on : 6/28/2004 3:07:06 AM

Last accessed : 6/29/2004 1:32:59 AM

Last modified : 6/28/2004 3:07:06 AM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 14

 

 

Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Hosts file scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

1 entries scanned.

New objects :0

Objects found so far: 14

 

 

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 14

 

 

6:35:15 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:03:22:453

Objects scanned :85689

Objects identified :14

Objects ignored :0

New objects :14

 

And now the HyJackThis! log:

 

Logfile of HijackThis v1.97.7

Scan saved at 6:38:48 PM, on 6/28/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogo n.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\P rogram Files\Ahead\InCD\InCDsrv.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.ex e

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINNT\system 32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBE M\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\s vchost.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINNT\Expl orer.EXE

C:\WINNT\system32\igfxtray.exe

C:\WINNT\system32\hkcmd. exe

C:\WINNT\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\support.com\bin\tgcmd.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshl d.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

c:\progra~1\mcafe e.com\vso\mcvsescn.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\PROGRA~1\McAfee.com\PER SON~1\MpfTray.exe

C:\WINNT\system32\ctfmon.exe

C:\Corel\Graphics 8\Programs\MFIndexer.exe

C:\Program Files\Access97\Office\OSA.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent .exe

C:\Program Files\support.com\comcastsupport\tgagentm.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\kfa\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.dogpile.com/info.dogpl.toolbar/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {C45884EB-EC14-4AB5-90CD-5EA2C4DEB9FB} - C:\WINNT\system32\dcfe.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Dogpile Toolbar - {5E92F538-B50B-46C5-9C5F-C6EECED3F6C6} - C:\Program Files\DogpileToolbar\ultrabar.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [spyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Access97\Office\OSA.EXE

O8 - Extra context menu item: Dogpile Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\DogpileToolbar\contextsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ComcastHSI (HKLM)

O9 - Extra button: Support (HKLM)

O9 - Extra button: Help (HKLM)

O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

 

Thanks again for your help!

 

 

 

JohnD Re: Infected with CoolWebSearch - Updated Jun 28, 2004 11:15 PM

 

Posts: 1,300 From: Elk Grove Vil, IL

Registered: Jun 30, 2003

Reply

 

VeeDuber,

 

I suspect that your infection may return if you have not removed the DLL which is causing it. I would also suggest you download CWShredder and see if it finds anything. If it returns, you need to try CajunTek's solution. What he meant by "rightclick the BHO from the HijackThis log" was to select dcfe.dll. This is a cause of the infection and hopefully the only one. There may be another hidden one on your system which will require another tool.

 

 

 

VeeDuber Re: Infected with CoolWebSearch - Updated Jun 29, 2004 12:46 AM

 

Posts: 10 From: Renton

Registered: Jun 22, 2004

Reply

 

Jon -

 

Where should I look for this DLL? And what is the risk involved in deleting/renaming it? What would the process be to get this CoolWeb search off of my machine? I have tried MANY of the anti spy software AV software...

 

CWShredder was one of them, adaware, hyjackthis!.. I keep tryin'

 

 

 

JohnD Re: Infected with CoolWebSearch - Updated Jun 29, 2004 2:14 AM

 

Posts: 1,300 From: Elk Grove Vil, IL

Registered: Jun 30, 2003

Reply

 

1. Download FindnFix.exe from here: http://freeatlast100.100free.com/

 

2. Double Click on FindnFix.exe and it will install the batch file in its own folder.

 

3. Open the FindnFix folder and double click on !LOG!.bat.

 

IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

 

4. Wait a few minutes while the program collects the necessary information.

 

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

 

5. When the program is finished, open the FindnFix folder.

a. Post the contents of Log.txt in this thread.

b. Also post the WIN.txt file in the same post.

 

 

 

VeeDuber Re: Infected with CoolWebSearch - Updated Jun 29, 2004 10:17 PM

 

Posts: 10 From: Renton

Registered: Jun 22, 2004

Reply

 

THanks JohnD -

 

Here are my logs:

 

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Microsoft Windows 2000 [Version 5.00.2195]

The type of the file system is NTFS.

C: is not dirty.

 

Tue 06/29/2004

7:11pm up 0 days, 0:21

 

»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»

 

Scanning for file(s)...

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

»»»»» (*1*) »»»»» .........

»»Locked or 'Suspect' file(s) found...

 

 

C:\WINNT\System32\COMGGOG.DLL +++ File read error

\\?\C:\WINNT\System32\COMGGOG.DLL +++ File read error

 

»»»»» (*2*) »»»»»........

**File C:\FINDnFIX\LIST.TXT

COMGGOG.DLL Can't Open!

 

»»»»» (*3*) »»»»»........

 

C:\WINNT\SYSTEM32\

comggog.dll Mon Jun 21 2004 9:54:20p A...R 57,344 56.00 K

nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K

ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

 

3 items found: 3 files (2 H/S), 0 directories.

Total of file sizes: 59,392 bytes 58.00 K

 

unknown/hidden files...

 

C:\WINNT\SYSTEM32\

nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K

ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 2,048 bytes 2.00 K

 

»»»»» (*4*) »»»»».........

Sniffing..........

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\COMGGOG.DLL

Sniffed -> C:\WINNT\SYSTEM32\NTICDM~1.DLL

Sniffed -> C:\WINNT\SYSTEM32\NTIEMBED.DLL

»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» *»»»

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

»»Dumping Values........

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read BUILTIN\Users

(IO) ALLOW Read BUILTIN\Users

(NI) ALLOW Read BUILTIN\Power Users

(IO) ALLOW Read BUILTIN\Power Users

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access BUILTIN\Administrators

(NI) ALLOW Full access NT AUTHORITY\SYSTEM

(IO) ALLOW Full access NT AUTHORITY\SYSTEM

(NI) ALLOW Full access BUILTIN\Administrators

(IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Read BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

»»Member of...: (Admin logon required!)

User is a member of group USER-D7A07D9E29\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

User is a member of group \LOCAL.

 

»» Service searchdifferent variant) '"Network Security Service","__NS_Service_3"...

 

[sC] GetServiceKeyName FAILED 1060:

 

The specified service does not exist as an installed service.

 

[sC] GetServiceDisplayName FAILED 1060:

 

The specified service does not exist as an installed service.

 

 

»»Dir 'junkxxx' was created with the following permissions...

(FAT32=NA)

Directory "C:\junkxxx"

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: USER-D7A07D9E29\None

 

 

 

»»»»»»Backups created...»»»»»»

7:12pm up 0 days, 0:21

Tue 06/29/2004

 

A C:\FINDnFIX\winBack.hiv

--a-- - - - - - 8,192 06-29-2004 winback.hiv

A C:\FINDnFIX\keys1\winkey.reg

--a-- - - - - - 287 06-29-2004 winkey.reg

 

»»Performing 16bit string scan....

 

---------- WIN.TXT

AppInit_DLLsp

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTW ARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelected Timeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"=" yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProce ssHandleQuota"=dword:00002710

 

Windows

AppInit

DLLsp

De viceNotSelectedTimeout

GDIProcessHandleQuota

Spooler

swapdisk

TransmissionRetryTimeout

USERProcessHandleQuotan

 

**File C:\FINDnFIX\WIN.TXT

ÿÿÿÿàÿÿÿÐ 8 € ° à @ Øÿÿÿvk < ø o AppInit_DLLsp o ÀÿÿÿC : \ W I N N T \ s y s t e m 3 2 \ c o m g g o g . d l l Ðÿÿÿvk h k DeviceNotSelectedTimeoutèÿÿÿ1 5 h ¸ ð Ðÿÿÿvk €' o GDIProcessHandleQuota e àÿÿÿvk Ð \ Spooler ðÿÿÿy e s m p àÿÿÿvk € K swapdiskÐÿÿÿvk 0 c TransmissionRetryTimeoutðÿÿÿ9 0 h Ðÿÿÿvk €' i USERProcessHandleQuotan ? ÿÿÿÿÿÿÿÿ/Lu=Lu????ÿÿÿÿ¢Lu°Lu????ÿÿÿÿ"Mu0Mu????ÿÿÿÿ’Mu Mu????ÿ ÿÿÿNuNu????ÿÿÿÿrNu€Nu????ÿÿÿÿOu&Ou????ÿÿÿÿ¡Ou¯Ou????ÿÿÿ ÿ*Pu8Pu????ÿÿÿÿ¤Pu²Pu????ÿÿÿÿ$Qu2Qu????ÿÿÿÿ›Qu©Qu????ÿÿÿÿçYuø Yu ¸YuÉYuÿÿÿÿ’Zu Zu????ÿÿÿÿK\u\\u????ÿÿÿÿŒ]uš]u????ÿÿÿÿ6^uD^u( ` ~ ! @ # $ % ^ & * _ - + = | \ { } [ ] : ; " ' < > , . ? ) ????ÿÿÿÿqcu?cu????ÿÿÿÿ eu.eu????ÿÿÿÿJfuXfu????ÿÿÿÿÈfuÖfu????ÿÿÿÿ­hu»hu????D xW44Í«ï #Eg‰¬ ]ˆŠëÉŸè +H` u½yuÌyuˆÂu ¸uÀu

 

And if that last bit wasn't messy enough, here is the Win.txt text:

 

regf o m t h e f i l e A p p B k U p . r e g

 

&

T h e o p e r a t i o n c o m p l e t e d s u c c e s s f u l l y

)

E r r o r : B a d o p e r a t i o n . U s e / ? f o r h e l p

)

E r r o r : T o m a n y c o m m a n d - l i n e p a r a m e t e r s

(

E r r o r : T o f e w c o m m a n d - l i n e p a r a m e t e r s ]u`f hbin ûEùw5øw ¨ÿÿÿnk, ø6gúXÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ ° x ÿÿÿÿ 0 < 1 Windows Èþÿÿskÿÿx x ” ì

!

€ ! #

€ # ?

?

?

ÿÿÿÿàÿÿÿÐ 8 € ° à @ Øÿÿÿvk < ø o AppInit_DLLsp o ÀÿÿÿC : \ W I N N T \ s y s t e m 3 2 \ c o m g g o g . d l l Ðÿÿÿvk h k DeviceNotSelectedTimeoutèÿÿÿ1 5 h ¸ ð Ðÿÿÿvk €' o GDIProcessHandleQuota e àÿÿÿvk Ð \ Spooler ðÿÿÿy e s m p àÿÿÿvk € K swapdiskÐÿÿÿvk 0 c TransmissionRetryTimeoutðÿÿÿ9 0 h Ðÿÿÿvk €' i USERProcessHandleQuotan ? ÿÿÿÿÿÿÿÿ/Lu=Lu????ÿÿÿÿ¢Lu°Lu????ÿÿÿÿ"Mu0Mu????ÿÿÿÿ’Mu Mu????ÿ ÿÿÿNuNu????ÿÿÿÿrNu€Nu????ÿÿÿÿOu&Ou????ÿÿÿÿ¡Ou¯Ou????ÿÿÿ ÿ*Pu8Pu????ÿÿÿÿ¤Pu²Pu????ÿÿÿÿ$Qu2Qu????ÿÿÿÿ›Qu©Qu????ÿÿÿÿçYuø Yu ¸YuÉYuÿÿÿÿ’Zu Zu????ÿÿÿÿK\u\\u????ÿÿÿÿŒ]uš]u????ÿÿÿÿ6^uD^u( ` ~ ! @ # $ % ^ & * _ - + = | \ { } [ ] : ; " ' < > , . ? ) ????ÿÿÿÿqcu?cu????ÿÿÿÿ eu.eu????ÿÿÿÿJfuXfu????ÿÿÿÿÈfuÖfu????ÿÿÿÿ­hu»hu????D xW44Í«ï #Eg‰¬ ]ˆŠëÉŸè +H` u½yuÌyuˆÂu ¸uÀu $u ø/uc1u¯quïquÏquïqu H 1 \ D

H p H 0à D p H 0@ F H 4 p H 0@ E H F p H 0@ D p H 0@ G d z p H 0@ ( E X ° H P! p H 0@ F H ž $p H 0@ E

H

(p H 0@ F

H

€p H

0@ ( F d H $P! p H 0@ ( E X ° H P! p H 0@ ( F d H $P! p H

0@ 0 E X H ° H P! p H 0@ ( F d H $P! p H 0@ ( E X ° H P! p H 0@ G Ò! ôp H 0@ G ˆ ! ô! ôp H 0@ G ˆ : H! €! ôp H 0@ ( D H H $p H 0@ E H

”p H 0@ F H

ðp H 0@ ( D H H p H 0à D p H 0@ D H p H 0@ E þp H 0@ ( D H H p H 0@ ( D H H $p H 0@ E H

&p H 0@ F H

ˆp H 0à D p H 0@ F ž p H 0@ F ž p H ! 0@ E ! šp H " 0@ ( D H H $p H # 0à D p H $ 0@ E` H

®p H % 0@ F ` H

p H & 0 0@ ¬ D H

.

. H

.

. H

. H $

( . p , H ' 0@ E 2 p H ( $ 0@ 6 E H

H H H P! P! ! b p H ) 0@ F H

d P! p H * 0@ D p H + 0@ D p H , 0@ D ! Ö

p H - 0@ F ž p H . 0@ E

 

Thanks again for your help. It is much appreceated. - K

 

 

 

JohnD Re: Infected with CoolWebSearch - Updated Jun 29, 2004 10:46 PM

 

Posts: 1,300 From: Elk Grove Vil, IL

Share this post


Link to post
Share on other sites

We need some assistance from "freeatlast". When VeeDuber ran the second FINDnFIX process, it failed to move the file to the C:\junkxxx folder. Here is the log1.txt file.

 

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»»

 

Tue 06/29/2004

10:06pm up 0 days, 0:02

 

Microsoft Windows 2000 [Version 5.00.2195]

The type of the file system is NTFS.

C: is not dirty.

 

»»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»»

Scanning for file(s)...

 

»»»»»»» (1) »»»»»»»

\\?\C:\WINNT\System32\COMGGOG.DLL +++ File read error

 

»»»»»»» (2) »»»»»»»

**File C:\FINDnFIX\LIST.TXT

COMGGOG.DLL Can't Open!

 

»»»»»»» (3) »»»»»»»

 

C:\WINNT\SYSTEM32\

comggog.dll Mon Jun 21 2004 9:54:20p A...R 57,344 56.00 K

nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K

ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

 

3 items found: 3 files (2 H/S), 0 directories.

Total of file sizes: 59,392 bytes 58.00 K

 

C:\WINNT\SYSTEM32\

nticdm~1.dll Sat Apr 3 2004 11:56:56a ...HR 1,024 1.00 K

ntiembed.dll Sat Apr 3 2004 11:57:46a ...HR 1,024 1.00 K

 

2 items found: 2 files, 0 directories.

Total of file sizes: 2,048 bytes 2.00 K

 

»»»»»»» (4) »»»»»»»

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

Sniffed -> C:\WINNT\SYSTEM32\COMGGOG.DLL

Sniffed -> C:\WINNT\SYSTEM32\NTICDM~1.DLL

Sniffed -> C:\WINNT\SYSTEM32\NTIEMBED.DLL

 

»»»*»»» Scanning for moved file... »»»*»»»

 

No matches found.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 

fgrep: no files found for C:\JUNKXXX\*.*

**File C:\FINDnFIX\LIST.TXT

COMGGOG.DLL Can't Open!

 

move C:\WINDOWS\System32\COMGGOG.dll c:\junkxxx\COMGGOG.dll

 

 

 

 

File not found - C:\junkxxx\*.*

 

»»Permissions:

There are no more files.

 

Directory "C:\junkxxx\."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM

Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

 

Owner: BUILTIN\Administrators

 

Primary Group: USER-D7A07D9E29\None

 

Directory "C:\junkxxx\.."

Permissions:

Type Flags Inh. Mask Gen. Std. File Group or User

======= ======== ==== ======== ==== ==== ==== ================

Allow 00000003 tco- 001F01FF ---- DSPO rw+x \Everyone

 

Owner: BUILTIN\Administrators

 

Primary Group: BUILTIN\Administrators

 

 

»»Size of Windows key:

(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

 

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

 

»»Dumping Values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

DeviceNotSelectedTimeout = 15

GDIProcessHandleQuota = REG_DWORD 0x00002710

Spooler = yes

swapdisk =

TransmissionRetryTimeout = 90

USERProcessHandleQuota = REG_DWORD 0x00002710

AppInit_DLLs =

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read Everyone

(ID-IO) ALLOW Read Everyone

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read Everyone

Read BUILTIN\Users

QWCEN-DS-- BUILTIN\Power Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

---------- WIN.TXT

AppInit_DLLsp

 

---------- NEWWIN.TXT

AppInit_DLLs2

**File C:\FINDnFIX\NEWWIN.TXT

2ý7B@ÃÊø? àÿÿÿð 8 h À 8 Ðÿÿÿvk DeviceNotSelectedTimeoutèÿÿÿ1 5 c r e e n Ðÿÿÿvk €' GDIProcessHandleQuota àÿÿÿvk ˆ Spooler èÿÿÿy e s h ¸ ð àÿÿÿvk € swapdiskÐÿÿÿvk ð V TransmissionRetryTimeoutèÿÿÿ9 0 Ò ãÒ hóÒ óÒ Ðÿÿÿvk €' USERProcessHandleQuotaÒ Øÿÿÿvk € s AppInit_DLLs2 \ ÿÿÿÿ / C : \ j u n k x x x

**File C:\FINDnFIX\NEWWIN.TXT

00001350: 01 00 00 00 01 00 73 00 . 5F 44 4C 4C 73 32 00 5C ......s. _DLLs2.\

**File C:\FINDnFIX\NEWWIN.TXT

2ý7B@ÃÊø? àÿÿÿð 8 h À 8 Ðÿÿÿvk DeviceNotSelectedTimeoutèÿÿÿ1 5 c r e e n Ðÿÿÿvk €' GDIProcessHandleQuota àÿÿÿvk ˆ Spooler èÿÿÿy e s h ¸ ð àÿÿÿvk € swapdiskÐÿÿÿvk ð V TransmissionRetryTimeoutèÿÿÿ9 0 Ò ãÒ hóÒ óÒ Ðÿÿÿvk €' USERProcessHandleQuotaÒ Øÿÿÿvk € s AppInit_DLLs2 \ ÿÿÿÿ / C : \ j u n k x x x

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0