• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
sas

browser hijack

18 posts in this topic

:wtf: a complete newbee and computer beginner. browser has been hijacked by file starting with res//. not copying and pasting anything cause not sure what is allowed or not. cannot surf your links at this time should i just carry my computer to a virus/spyware service since i am a beginner?

Share this post


Link to post
Share on other sites

Hey sas,

If you are still having problems, please do this:

Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Share this post


Link to post
Share on other sites

808CHICK

 

I have run the scan and saved the log. Do I post the log in the reply column of this post. I do not want to post anything in the wrong place that may hurt the site???? Thank you for your patience.

Edited by sas

Share this post


Link to post
Share on other sites

Hey sas,

Yes, post your log as a reply.

Open your saved log, right-click and hit 'Select All'.

Cut & paste the entire log here.

Share this post


Link to post
Share on other sites

808CHICK,

Thanks for your immediate response. Hope to be rid of this problem soon!!! I ran a scan with s&d and adware before posting. I hope you have the patience for this, I have been reading some of the other post and I don't even know the difference between re-booting in the safe or unsafe mode. Open to any information on tutorials for beginners. I really want to learn more after experiencing this problem. Thanks again!

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:54:15 PM, on 8/3/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\NETAH32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\IEIZ.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\QKSHIELD.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\WUAUCLT.EXE

C:\WINDOWS\SYSTEM\HPZSTATX.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)

O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)

O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe

O4 - HKLM\..\Run: [iEIZ.EXE] C:\WINDOWS\IEIZ.EXE

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\Run: [QuikShield] qkshield.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas

Share this post


Link to post
Share on other sites

Hey sas,

There are a lot of steps, so please print this out for easy reference.

Download About:Buster.

Create a new folder in your C:\ drive:

Double click your My Computer icon.

Open C:\

Right click somewhere in C:\ & go to New > Folder.

Name the folder AboutBuster, and unzip all files from the zip folder here. Do not run About:Buster yet.

 

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

 

Install the program and launch it.

 

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Next, we need to configure Ad-aware for a full scan.

 

icon11.gif Click on the Gear icon (second from the left) to access the preferences/settings window

 

1. In the General window make sure the following are selected:

  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :

  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives

icon11.gif Click on the Advanced button on the left and select:

  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details

icon11.gif Click the Tweak button and select:

  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile

    [*]Under the Cleaning Engine:

    • Let Windows remove files in use at next reboot

icon11.gif Click on Proceed to save the settings.

 

icon11.gif Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:

  • Use Custom Scanning Options

icon11.gif Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

 

icon11.gif Save the log file when it asks and then click Finish

 

icon11.gif When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

icon11.gifReboot your computer.

 

Next, go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

 

Make sure your computer is configured to show hidden files.

Double-click the My Computer icon on the Windows desktop.

Click the View menu, and then click Options or Folder Options.

Click the View tab.

In the Advanced settings box, under the Hidden files folder, select Show all files.

Click Apply, and then click OK.

 

Close all browsers and windows (including this one). Scan with Hijack This and put checks in the boxes next to all the following lines, then click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)

O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)

O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

 

O4 - HKLM\..\Run: [iEIZ.EXE] C:\WINDOWS\IEIZ.EXE

O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE

O4 - Startup: PowerReg Scheduler.exe

 

Reboot in Safe Mode:

From the Windows Start menu, go to Shut Down and click Restart.

As the computer restarts, press and hold the CTRL key.

(On some keyboards you can press and hold the flying Window key. On some computers, the F8 key can be used instead of the CTRL key.)

From the Windows Start-up menu, type the number for the Safe Mode option or press F5.

 

Once in Safe Mode, go to Add/Remove Programs.

Find ExactSearch or MySearch and hit Remove

 

Run About:Buster.

Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesn't it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Scan with About:Buster twice, and save both logs. Then hit exit.

 

Reboot normally.

 

Run HijackThis & post a new log here, along with the two logs from About:Buster.

Share this post


Link to post
Share on other sites

808chick,

 

After I reboot go to start->run type in Services.msc cannot locate file also tried a search for file. No luck??? I am posting log from adware scan.

THANKS AGAIN!

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Wednesday, August 04, 2004 2:03:21 AM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R334 24.07.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R217 08.09.2003

Internal build : 107

File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref

Total size : 574398 Bytes

Signature data size : 563299 Bytes

Reference data size : 11035 Bytes

Signatures total : 12937

Target categories : 10

Target families : 267

8-4-2004 1:50:26 AM Performing Webupdate...

 

Installing Update...

Reference file loaded:

Reference Number : 01R334 24.07.2004

Internal build : 268

File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref

Total size : 1316091 Bytes

Signature data size : 1295051 Bytes

Reference data size : 20976 Bytes

Signatures total : 28648

Target categories : 10

Target families : 528

 

8-4-2004 1:53:46 AM Success.

Update successfully downlodaded and installed.

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium III

Memory available:0 %

Total physical memory:130316 kb

Available physical memory:660 kb

Total page file size:1966832 kb

Available on page file:1809148 kb

Total virtual memory:2093056 kb

Available virtual memory:2047872 kb

OS:Windows (ME)

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

8-4-2004 2:03:21 AM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [kernel32.dll]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4279218133

Threads : 4

Priority : High

FileSize : 524 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1991-2000

CompanyName : Microsoft Corporation

FileDescription : Win32 Kernel core component

InternalName : KERNEL32

OriginalFilename : KERNEL32.DLL

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:2 [msgsrv32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294961485

Threads : 1

Priority : Normal

FileSize : 11 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1992-1998

CompanyName : Microsoft Corporation

FileDescription : Windows 32-bit VxD Message Server

InternalName : MSGSRV32

OriginalFilename : MSGSRV32.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:3 [spool32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294959445

Threads : 2

Priority : Normal

FileSize : 44 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1994 - 1998

CompanyName : Microsoft Corporation

FileDescription : Spooler Sub System Process

InternalName : spool32

OriginalFilename : spool32.exe

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:4 [mprexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294841453

Threads : 1

Priority : Normal

FileSize : 28 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1993-2000

CompanyName : Microsoft Corporation

FileDescription : WIN32 Network Interface Service Process

InternalName : MPREXE

OriginalFilename : MPREXE.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:5 [netah32.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294898385

Threads : 1

Priority : Normal

FileSize : 9 KB

Created on : 7/17/2004 4:34:45 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:46 AM

 

#:6 [mmtask.tsk]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294888721

Threads : 1

Priority : Normal

FileSize : 1 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Multimedia background task support module

InternalName : mmtask.tsk

OriginalFilename : mmtask.tsk

ProductName : Microsoft Windows

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:7 [stmgr.exe]

FilePath : C:\WINDOWS\SYSTEM\RESTORE\

ProcessID : 4294888381

Threads : 5

Priority : Normal

FileSize : 60 KB

FileVersion : 4.90.0.2533

ProductVersion : 4.90.0.2533

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Microsoft ® PC State Manager

InternalName : StateMgr.exe

OriginalFilename : StateMgr.exe

ProductName : Microsoft ® PCHealth

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:8 [devldr16.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294853785

Threads : 3

Priority : Normal

FileSize : 37 KB

FileVersion : 1, 0, 0, 15

ProductVersion : 1, 0, 0, 15

Copyright : Copyright

CompanyName : Creative Technology Ltd.

FileDescription : DevLdr16

InternalName : DevLdr

OriginalFilename : DevLdr16.exe

ProductName : Creative Ring3 NT Inteface

Created on : 11/29/2000 11:42:14 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/5/2000 6:32:08 PM

 

#:9 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294953425

Threads : 20

Priority : Normal

FileSize : 220 KB

FileVersion : 5.50.4134.100

ProductVersion : 5.50.4134.100

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:10 [systray.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294715725

Threads : 2

Priority : Normal

FileSize : 36 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1993-2000

CompanyName : Microsoft Corporation

FileDescription : System Tray Applet

InternalName : SYSTRAY

OriginalFilename : SYSTRAY.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:11 [em_exec.exe]

FilePath : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\

ProcessID : 4294712489

Threads : 2

Priority : Normal

FileSize : 33 KB

FileVersion : 9.01.78

ProductVersion : 9.01

Copyright : Copyright

CompanyName : Logitech Inc.

FileDescription : Control Center

InternalName : EM_EXEC

OriginalFilename : EM_EXEC.CPP

ProductName : MouseWare

Created on : 11/29/2000 11:37:50 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 2/4/2000 1:01:00 PM

 

#:12 [navapw32.exe]

FilePath : C:\PROGRAM FILES\NORTON ANTIVIRUS\

ProcessID : 4294747317

Threads : 6

Priority : Normal

FileSize : 48 KB

FileVersion : 6.20.00.04

ProductVersion : 6.20.00.04

Copyright : Copyright © Symantec Corporation 1991-2000

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Agent

InternalName : NAVAPW32

OriginalFilename : NAVAPW32.DLL

ProductName : Norton AntiVirus

Created on : 11/29/2000 11:46:37 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/6/2000 10:00:00 AM

 

#:13 [qttask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294745661

Threads : 2

Priority : Normal

FileSize : 76 KB

FileVersion : 6.4

ProductVersion : QuickTime 6.4

CompanyName : Apple Computer, Inc.

FileDescription : Apple Computer, Inc.

InternalName : QuickTime Task

OriginalFilename : QTTask.exe

ProductName : QuickTime

Created on : 2/1/2004 7:45:31 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 2/1/2004 7:45:32 PM

 

#:14 [ieiz.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294643313

Threads : 1

Priority : Normal

FileSize : 26 KB

Created on : 7/17/2004 4:34:13 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:18 AM

 

#:15 [wmiexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294666309

Threads : 3

Priority : Normal

FileSize : 16 KB

FileVersion : 4.90.2452.1

ProductVersion : 4.90.2452.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : WMI service exe housing

InternalName : wmiexe

OriginalFilename : wmiexe.exe

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:16 [qkshield.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294681781

Threads : 1

Priority : Normal

FileSize : 517 KB

FileVersion : 2.4.0.0

ProductVersion : 2.4.0.0

Copyright : Copyright

CompanyName : United Software

FileDescription : QuikShield

InternalName : QuikShield

OriginalFilename : qkshield.exe

ProductName : QuikShield

Created on : 7/18/2004 2:59:16 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/18/2004 2:58:54 AM

 

#:17 [money express.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\

ProcessID : 4294691649

Threads : 4

Priority : Normal

FileSize : 172 KB

FileVersion : 9.00.0715

ProductVersion : 9.00.0715

Copyright : Copyright © Microsoft Corp. 1990-2000. All rights reserved.

CompanyName : Microsoft Corporation

FileDescription : Microsoft Money Express

InternalName : MoneyExpress

OriginalFilename : MoneyExpress.EXE

ProductName : Microsoft Money

Created on : 7/19/2000 1:00:00 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/19/2000 1:00:00 PM

 

#:18 [ddhelp.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294587033

Threads : 3

Priority : Realtime

FileSize : 31 KB

FileVersion : 4.08.01.0881

ProductVersion : 4.08.01.0881

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft DirectX Helper

InternalName : DDHelp.exe

OriginalFilename : DDHelp.exe

ProductName : Microsoft

Created on : 11/30/2002 10:44:26 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 10/30/2001 12:10:00 PM

 

#:19 [stimon.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294426561

Threads : 5

Priority : Normal

FileSize : 27 KB

FileVersion : 4.90.3000.1

ProductVersion : 4.90.3000.1

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Still Image Devices Monitor

InternalName : STIMON

OriginalFilename : STIMON.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:20 [wuauclt.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294717157

Threads : 3

Priority : Idle

FileSize : 180 KB

FileVersion : 5.4.5681.0

ProductVersion : 5.4.5681.0

CompanyName : Microsoft Corporation

FileDescription : Microsoft AutoUpdate

InternalName : WUAUCLT.EXE

OriginalFilename : WUAUCLT.EXE

ProductName : Microsoft Windows Update - AutoUpdate feature

Created on : 3/8/2004 7:58:44 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 9/16/2002 1:37:16 PM

 

#:21 [hpzstatx.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294332825

Threads : 5

Priority : Normal

FileSize : 156 KB

FileVersion : 1.14.2000

ProductVersion : 1.14.2000

Copyright : Copyright 1999

CompanyName : Hewlett-Packard Company

FileDescription : DJStatusServer Module

InternalName : DJSTATUSSERVER

OriginalFilename : DJSTATUSSERVER.EXE

ProductName : DJStatusServer Module

Created on : 12/27/2000 12:59:13 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 4/7/2000 7:55:00 AM

 

#:22 [osa9.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\

ProcessID : 4294452357

Threads : 1

Priority : Normal

FileSize : 64 KB

FileVersion : 9.0.3720

ProductVersion : 9.0.3720

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office 2000 component

InternalName : Osa

OriginalFilename : Osa.Exe

ProductName : Microsoft Office 2000

Created on : 8/10/2000 4:00:00 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 8/10/2000 4:00:00 PM

 

#:23 [osa9.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\

ProcessID : 4294397621

Threads : 1

Priority : Normal

FileSize : 64 KB

FileVersion : 9.0.3720

ProductVersion : 9.0.3720

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft Office 2000 component

InternalName : Osa

OriginalFilename : Osa.Exe

ProductName : Microsoft Office 2000

Created on : 8/10/2000 4:00:00 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 8/10/2000 4:00:00 PM

 

#:24 [rnaapp.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294150029

Threads : 3

Priority : Normal

FileSize : 56 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1992-1996

CompanyName : Microsoft Corporation

FileDescription : Dial-Up Networking Application

InternalName : RNAAPP

OriginalFilename : RNAAPP.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:25 [tapisrv.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294123253

Threads : 6

Priority : Normal

FileSize : 120 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1994-1998

CompanyName : Microsoft Corporation

FileDescription : Microsoft

InternalName : Telephony Service

OriginalFilename : TAPISRV.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:26 [iexplore.exe]

FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\

ProcessID : 4294444001

Threads : 6

Priority : Normal

FileSize : 89 KB

FileVersion : 6.00.2800.1106

ProductVersion : 6.00.2800.1106

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

OriginalFilename : IEXPLORE.EXE

ProductName : Microsoft

Created on : 8/29/2002 11:07:38 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 8/29/2002 11:07:38 AM

 

#:27 [pstores.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294480977

Threads : 3

Priority : Normal

FileSize : 82 KB

FileVersion : 5.00.2133.2

ProductVersion : 5.00.2133.2

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Protected storage server

InternalName : Protected storage server

OriginalFilename : Protected storage server

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:28 [ad-aware.exe]

FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\

ProcessID : 4294564473

Threads : 2

Priority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 8/4/2004 5:47:08 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/13/2003 2:00:20 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}

 

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 2

Objects found so far: 2

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://bunwc.dll/index.html#37794"

Category : Malware

Comment : Possible browser hijack attempt

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "res://bunwc.dll/index.html#37794"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://bunwc.dll/index.html#37794"

Category : Malware

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "res://bunwc.dll/index.html#37794"

 

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://bunwc.dll/index.html#37794"

Category : Malware

Comment : Possible browser hijack attempt

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\Microsoft\Internet Explorer\Main

Value : Default_Page_URL

Data : "res://bunwc.dll/index.html#37794"

 

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

 

Possible Browser Hijack attempt Object recognized!

Type : RegData

Data : "res://bunwc.dll/index.html#37794"

Category : Malware

Comment : Possible browser hijack attempt

Rootkey : HKEY_USERS

Object : .Default\Software\Microsoft\Internet Explorer\Main

Value : Start Page

Data : "res://bunwc.dll/index.html#37794"

 

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : PROTOCOLS\Handler\icoo

 

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}

 

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 6

Objects found so far: 8

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

CoolWebSearch Object recognized!

Type : File

Data : bunwc.dll

Category : Malware

Comment :

Object : C:\WINDOWS\SYSTEM\

FileSize : 69 KB

Created on : 7/17/2004 4:34:57 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:35:06 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : default@gator[1].txt

Category : Data Miner

Comment :

Object : C:\WINDOWS\COOKIES\

 

Created on : 8/3/2004 7:22:41 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 8/3/2004 7:22:42 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : default@kelkoo.co[2].txt

Category : Data Miner

Comment :

Object : C:\WINDOWS\COOKIES\

 

Created on : 12/6/2003 5:32:56 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 12/6/2003 5:32:58 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : scanregw.exe

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 7/17/2004 4:34:46 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:48 AM

 

 

 

CoolWebSearch Object recognized!

Type : File

Data : scanregw.exe.bak

Category : Malware

Comment :

Object : C:\WINDOWS\

FileSize : 18 KB

Created on : 7/17/2004 4:34:46 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:48 AM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 13

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : Software\Adverts

 

 

Win32.Adverts.TrojanDownloader Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : icoo

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE

 

 

CoolWebSearch Object recognized!

Type : RegKey

Data :

Category : Malware

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW

 

 

CoolWebSearch Object recognized!

Type : RegValue

Data :

Category : Malware

Comment :

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Value : ITBarLayout

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 6

Objects found so far: 19

 

 

2:16:30 AM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:13:08:290

Objects scanned :126733

Objects identified :19

Objects ignored :0

New objects :19

Share this post


Link to post
Share on other sites

808chick,

 

Here's the lastest scan logs.

 

Thanks,

Steve

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Wednesday, August 04, 2004 11:37:51 AM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R217 08.09.2003

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R217 08.09.2003

Internal build : 107

File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref

Total size : 574398 Bytes

Signature data size : 563299 Bytes

Reference data size : 11035 Bytes

Signatures total : 12937

Target categories : 10

Target families : 267

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium III

Memory available:27 %

Total physical memory:130316 kb

Available physical memory:10356 kb

Total page file size:1966832 kb

Available on page file:1874868 kb

Total virtual memory:2093056 kb

Available virtual memory:2058304 kb

OS:Windows (ME)

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

8-4-2004 11:37:51 AM - Scan started. (Custom mode)

 

Listing running processes

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

#:1 [kernel32.dll]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4279216985

Threads : 4

Priority : High

FileSize : 524 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1991-2000

CompanyName : Microsoft Corporation

FileDescription : Win32 Kernel core component

InternalName : KERNEL32

OriginalFilename : KERNEL32.DLL

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:2 [msgsrv32.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294962625

Threads : 1

Priority : Normal

FileSize : 11 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1992-1998

CompanyName : Microsoft Corporation

FileDescription : Windows 32-bit VxD Message Server

InternalName : MSGSRV32

OriginalFilename : MSGSRV32.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:3 [mmtask.tsk]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294839757

Threads : 1

Priority : Normal

FileSize : 1 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Multimedia background task support module

InternalName : mmtask.tsk

OriginalFilename : mmtask.tsk

ProductName : Microsoft Windows

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:4 [mprexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294838161

Threads : 1

Priority : Normal

FileSize : 28 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1993-2000

CompanyName : Microsoft Corporation

FileDescription : WIN32 Network Interface Service Process

InternalName : MPREXE

OriginalFilename : MPREXE.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:5 [netah32.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294877241

Threads : 1

Priority : Normal

FileSize : 9 KB

Created on : 7/17/2004 4:34:45 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:46 AM

 

#:6 [devldr16.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294878577

Threads : 3

Priority : Normal

FileSize : 37 KB

FileVersion : 1, 0, 0, 15

ProductVersion : 1, 0, 0, 15

Copyright : Copyright

CompanyName : Creative Technology Ltd.

FileDescription : DevLdr16

InternalName : DevLdr

OriginalFilename : DevLdr16.exe

ProductName : Creative Ring3 NT Inteface

Created on : 11/29/2000 11:42:14 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/5/2000 6:32:08 PM

 

#:7 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294899021

Threads : 19

Priority : Normal

FileSize : 220 KB

FileVersion : 5.50.4134.100

ProductVersion : 5.50.4134.100

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

OriginalFilename : EXPLORER.EXE

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:8 [systray.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294823161

Threads : 2

Priority : Normal

FileSize : 36 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1993-2000

CompanyName : Microsoft Corporation

FileDescription : System Tray Applet

InternalName : SYSTRAY

OriginalFilename : SYSTRAY.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:9 [em_exec.exe]

FilePath : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\

ProcessID : 4294718453

Threads : 1

Priority : Normal

FileSize : 33 KB

FileVersion : 9.01.78

ProductVersion : 9.01

Copyright : Copyright

CompanyName : Logitech Inc.

FileDescription : Control Center

InternalName : EM_EXEC

OriginalFilename : EM_EXEC.CPP

ProductName : MouseWare

Created on : 11/29/2000 11:37:50 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 2/4/2000 1:01:00 PM

 

#:10 [navapw32.exe]

FilePath : C:\PROGRAM FILES\NORTON ANTIVIRUS\

ProcessID : 4294804617

Threads : 6

Priority : Normal

FileSize : 48 KB

FileVersion : 6.20.00.04

ProductVersion : 6.20.00.04

Copyright : Copyright © Symantec Corporation 1991-2000

CompanyName : Symantec Corporation

FileDescription : Norton AntiVirus Auto-Protect Agent

InternalName : NAVAPW32

OriginalFilename : NAVAPW32.DLL

ProductName : Norton AntiVirus

Created on : 11/29/2000 11:46:37 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/6/2000 10:00:00 AM

 

#:11 [qttask.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294724885

Threads : 2

Priority : Normal

FileSize : 76 KB

FileVersion : 6.4

ProductVersion : QuickTime 6.4

CompanyName : Apple Computer, Inc.

FileDescription : Apple Computer, Inc.

InternalName : QuickTime Task

OriginalFilename : QTTask.exe

ProductName : QuickTime

Created on : 2/1/2004 7:45:31 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 2/1/2004 7:45:32 PM

 

#:12 [stmgr.exe]

FilePath : C:\WINDOWS\SYSTEM\RESTORE\

ProcessID : 4294749417

Threads : 4

Priority : Normal

FileSize : 60 KB

FileVersion : 4.90.0.2533

ProductVersion : 4.90.0.2533

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Microsoft ® PC State Manager

InternalName : StateMgr.exe

OriginalFilename : StateMgr.exe

ProductName : Microsoft ® PCHealth

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:13 [ieiz.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294758673

Threads : 1

Priority : Normal

FileSize : 26 KB

Created on : 7/17/2004 4:34:13 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/17/2004 4:34:18 AM

 

#:14 [qkshield.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294653341

Threads : 1

Priority : Normal

FileSize : 517 KB

FileVersion : 2.4.0.0

ProductVersion : 2.4.0.0

Copyright : Copyright

CompanyName : United Software

FileDescription : QuikShield

InternalName : QuikShield

OriginalFilename : qkshield.exe

ProductName : QuikShield

Created on : 7/18/2004 2:59:16 AM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/18/2004 2:58:54 AM

 

#:15 [wmiexe.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294664529

Threads : 3

Priority : Normal

FileSize : 16 KB

FileVersion : 4.90.2452.1

ProductVersion : 4.90.2452.1

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : WMI service exe housing

InternalName : wmiexe

OriginalFilename : wmiexe.exe

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:16 [money express.exe]

FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\

ProcessID : 4294678953

Threads : 4

Priority : Normal

FileSize : 172 KB

FileVersion : 9.00.0715

ProductVersion : 9.00.0715

Copyright : Copyright © Microsoft Corp. 1990-2000. All rights reserved.

CompanyName : Microsoft Corporation

FileDescription : Microsoft Money Express

InternalName : MoneyExpress

OriginalFilename : MoneyExpress.EXE

ProductName : Microsoft Money

Created on : 7/19/2000 1:00:00 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/19/2000 1:00:00 PM

 

#:17 [ddhelp.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294574937

Threads : 3

Priority : Realtime

FileSize : 31 KB

FileVersion : 4.08.01.0881

ProductVersion : 4.08.01.0881

Copyright : Copyright

CompanyName : Microsoft Corporation

FileDescription : Microsoft DirectX Helper

InternalName : DDHelp.exe

OriginalFilename : DDHelp.exe

ProductName : Microsoft

Created on : 11/30/2002 10:44:26 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 10/30/2001 12:10:00 PM

 

#:18 [pstores.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294685085

Threads : 3

Priority : Normal

FileSize : 82 KB

FileVersion : 5.00.2133.2

ProductVersion : 5.00.2133.2

Copyright : Copyright © Microsoft Corp. 1981-1999

CompanyName : Microsoft Corporation

FileDescription : Protected storage server

InternalName : Protected storage server

OriginalFilename : Protected storage server

ProductName : Microsoft® Windows ® 2000 Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:19 [rnaapp.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294637097

Threads : 2

Priority : Normal

FileSize : 56 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1992-1996

CompanyName : Microsoft Corporation

FileDescription : Dial-Up Networking Application

InternalName : RNAAPP

OriginalFilename : RNAAPP.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:20 [tapisrv.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294516897

Threads : 5

Priority : Normal

FileSize : 120 KB

FileVersion : 4.90.3000

ProductVersion : 4.90.3000

Copyright : Copyright © Microsoft Corp. 1994-1998

CompanyName : Microsoft Corporation

FileDescription : Microsoft

InternalName : Telephony Service

OriginalFilename : TAPISRV.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:21 [stimon.exe]

FilePath : C:\WINDOWS\SYSTEM\

ProcessID : 4294485417

Threads : 5

Priority : Normal

FileSize : 27 KB

FileVersion : 4.90.3000.1

ProductVersion : 4.90.3000.1

Copyright : Copyright © Microsoft Corp. 1981-2000

CompanyName : Microsoft Corporation

FileDescription : Still Image Devices Monitor

InternalName : STIMON

OriginalFilename : STIMON.EXE

ProductName : Microsoft® Windows® Millennium Operating System

Created on : 1/1/1601

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/8/2000 9:00:00 PM

 

#:22 [wuauclt.exe]

FilePath : C:\WINDOWS\

ProcessID : 4294396249

Threads : 3

Priority : Idle

FileSize : 180 KB

FileVersion : 5.4.5681.0

ProductVersion : 5.4.5681.0

CompanyName : Microsoft Corporation

FileDescription : Microsoft AutoUpdate

InternalName : WUAUCLT.EXE

OriginalFilename : WUAUCLT.EXE

ProductName : Microsoft Windows Update - AutoUpdate feature

Created on : 3/8/2004 7:58:44 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 9/16/2002 1:37:16 PM

 

#:23 [ad-aware.exe]

FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\

ProcessID : 4294612057

Threads : 2

Priority : Normal

FileSize : 668 KB

FileVersion : 6.0.1.181

ProductVersion : 6.0.0.0

Copyright : Copyright

CompanyName : Lavasoft Sweden

FileDescription : Ad-aware 6 core application

InternalName : Ad-aware.exe

OriginalFilename : Ad-aware.exe

ProductName : Lavasoft Ad-aware Plus

Created on : 8/4/2004 3:35:19 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 7/13/2003 2:00:20 AM

 

Memory scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 0

 

 

Started registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Data Miner

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.NetscapeShutdown

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.NetscapeShutdown.1

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.NetscapeStartup

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.NetscapeStartup.1

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.SettingsPlugin

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : MySearchToolBar.SettingsPlugin.1

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_LOCAL_MACHINE

Object : Software\MySearch

 

 

MySearch Object recognized!

Type : RegKey

Data :

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}

 

 

MySearch Object recognized!

Type : RegValue

Data :

Category : Misc

Comment : "MySearchToolBar.NetscapeShutdown.1"

Rootkey : HKEY_CURRENT_USER

Object : Software\Netscape\Netscape Navigator\Automation Shutdown

Value : MySearchToolBar.NetscapeShutdown.1

 

 

MySearch Object recognized!

Type : RegValue

Data :

Category : Misc

Comment : "MySearchToolBar.NetscapeStartup.1"

Rootkey : HKEY_CURRENT_USER

Object : Software\Netscape\Netscape Navigator\Automation Startup

Value : MySearchToolBar.NetscapeStartup.1

 

 

Windows Object recognized!

Type : RegData

Data :

Category : Data Miner

Comment : MediaPlayer Unique ID

Rootkey : HKEY_USERS

Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings

Value : Client ID

Data :

 

 

Windows Object recognized!

Type : RegData

Data :

Category : Data Miner

Comment : MediaPlayer Unique ID

Rootkey : HKEY_CURRENT_USER

Object : Software\Microsoft\MediaPlayer\Player\Settings

Value : Client ID

Data :

 

 

Registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 25

Objects found so far: 25

 

 

Started deep registry scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Deep registry scan result :

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 25

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

MySearch Object recognized!

Type : File

Data : mysearchpluginproxy.class

Category : Misc

Comment :

Object : C:\Program Files\MySearch\bar\1.bin\

 

Created on : 6/4/2004 12:18:33 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/4/2004 12:18:34 PM

 

 

 

MySearch Object recognized!

Type : File

Data : s42ns.exe

Category : Misc

Comment :

Object : C:\Program Files\MySearch\bar\1.bin\

FileSize : 24 KB

Created on : 6/4/2004 12:18:33 PM

Last accessed : 8/4/2004 4:00:00 AM

Last modified : 6/4/2004 12:18:34 PM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 27

 

 

Performing conditional scans..

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

MySearch Object recognized!

Type : Folder

Category : Misc

Comment :

Object : c:\program files\MySearch

 

 

Conditional scan result:

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 1

Objects found so far: 28

 

 

11:42:43 AM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:04:51:770

Objects scanned :112381

Objects identified :28

Objects ignored :0

New objects :28

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:48:48 AM, on 8/4/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\NETAH32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\IEIZ.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\QKSHIELD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe

O4 - HKLM\..\Run: [iEIZ.EXE] C:\WINDOWS\IEIZ.EXE

O4 - HKLM\..\Run: [QuikShield] qkshield.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas

Share this post


Link to post
Share on other sites

Hey Steve,

Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

 

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

 

Reboot to Safe Mode

How to start the computer in

Safe mode

 

Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.

Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

Close all browsers and windows (including this one). Scan with Hijack This and put checks in the boxes next to all the following lines, then click Fix Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

 

O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

 

O4 - HKLM\..\Run: [iEIZ.EXE] C:\WINDOWS\IEIZ.EXE

O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE

 

You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it.

O4 - Startup: PowerReg Scheduler.exe

 

Delete the following files/folders if present.

C:\WINDOWS\system\bunwc.dll

C:\WINDOWS\IEUF32.DLL

C:\WINDOWS\IEIZ.EXE

C:\WINDOWS\NETAH32.EXE

 

Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

 

Scan with Adaware and let it remove any bad files found.

 

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files

Temporary Internet Files

Recycle Bin

 

Go to Start => Run and type in "regedit" (without quotes) and press "Enter".

One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3

If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.

Exit regedit and reboot in Normal Mode.

 

Scan again with HijackThis and post a new log here (just a HijackThis log please :D ).

 

Finally, do an online scan HERE. Let it remove any infected files found.

 

Replace Deleted Files

It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

 

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'

Exit Program.

 

If you have Spybot S&D installed you may also need to replace one file.

Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

 

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the

second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Edited by 808chick

Share this post


Link to post
Share on other sites

808chick,

 

I followed your latest instructions all the way down to the housecall scan. The scan detected 3 files infected with trojan. When I try to delete the files I get a message - unable to clean the file c:\restore\archive\FS6638.CAB because it is currently in use. In the scan register it also has items marked can not access.

I failed to save the aboutbuster log :blush:.

Posting hijackthis log.

The great news :thumbsup:, I have my home page back,thanks.

 

Logfile of HijackThis v1.98.0

Scan saved at 12:03:40 AM, on 8/5/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\QKSHIELD.EXE

C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe

O4 - HKLM\..\Run: [QuikShield] qkshield.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas

Share this post


Link to post
Share on other sites

Hey Steve,

That's good to hear, glad we could help! :D

Here are some steps to avoid reinfection:

Read How did I get infected in the first place?

 

Download and install the following programs (all are free):

Spyware Blaster - SpywareBlaster will prevent spyware from being installed and consumes no system resources.

Spyware Guard - SpywareGuard v2.2.0 provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

IE-SPYAD - IE-SPYAD places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system.

 

Install a firewall, such as Zone Alarm

 

And always remember to update Windows & Internet Explorer.

Share this post


Link to post
Share on other sites

808chick,

 

Just a couple more questions please. I could not link to the site to replace my deleted files from the post. What do I need to do about the 3 infected files (trojon) that I mentioned in the post above. Do I need to purchase a real time virus blocker(If yes; any suggestion on which one).Finally coulp you reccommend a spam/pop-up blocker are am I alredy set up with the files you had me download( I currently keep receiving a pop-up for quick shield)

Thanks for your patience and help!!! All of this info. has been a little mind-boggleing but I feel I have learned from your advice and help.

 

BIG THANKS :thumbsup:

Share this post


Link to post
Share on other sites

Which of the links could you not use? Or was it all of them? Just wondering because they just worked for me. The 'Hoster' link goes directly into a download (zip file), and the control.exe & SdHelper.dll go to Merijn's site.

For your trojans, try this online scan: Panda Active Scan. If you are still having trouble with those Trojans, try Trojan Hunter (it has a free trial).

What kind of anti-virus are you running? I recommend AVG, with a2.

For a pop-up blocker, you can download the Google toolbar, or just switch internet browsers to Mozilla Firefox, which has a built in pop-up blocker.

Share this post


Link to post
Share on other sites

808chick,

The link is working now. the only one I could not get to link was merlin.

Came up cannot display page, must have been a server problem or something, I tried it about half dozen times last nite.

:D:D:D THANKS AGAIN :D:D:D

 

STEVE (SOUTH CAROLINA)

Edited by sas

Share this post


Link to post
Share on other sites

No problem

Merijn's site is sometimes under attack, that might explain why you were not able to get in earlier.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0