Jump to content


Photo

browser hijack


  • This topic is locked This topic is locked
17 replies to this topic

#1 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 26 July 2004 - 02:41 PM

:wtf: a complete newbee and computer beginner. browser has been hijacked by file starting with res//. not copying and pasting anything cause not sure what is allowed or not. cannot surf your links at this time should i just carry my computer to a virus/spyware service since i am a beginner?

#2 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 01 August 2004 - 05:47 AM

Hey sas,
If you are still having problems, please do this:
Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

#3 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 02 August 2004 - 07:02 AM

808CHICK

I have run the scan and saved the log. Do I post the log in the reply column of this post. I do not want to post anything in the wrong place that may hurt the site???? Thank you for your patience.

Edited by sas, 02 August 2004 - 07:34 AM.


#4 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 02 August 2004 - 07:15 PM

Hey sas,
Yes, post your log as a reply.
Open your saved log, right-click and hit 'Select All'.
Cut & paste the entire log here.

#5 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 03 August 2004 - 07:09 AM

808CHICK,
Thanks for your immediate response. Hope to be rid of this problem soon!!! I ran a scan with s&d and adware before posting. I hope you have the patience for this, I have been reading some of the other post and I don't even know the difference between re-booting in the safe or unsafe mode. Open to any information on tutorials for beginners. I really want to learn more after experiencing this problem. Thanks again!



Logfile of HijackThis v1.98.0
Scan saved at 4:54:15 PM, on 8/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\NETAH32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\IEIZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\QKSHIELD.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA9.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [IEIZ.EXE] C:\WINDOWS\IEIZ.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [QuikShield] qkshield.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas, 03 August 2004 - 03:54 PM.


#6 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 03 August 2004 - 06:58 PM

Hey sas,
There are a lot of steps, so please print this out for easy reference.
Download About:Buster.
Create a new folder in your C:\ drive:
Double click your My Computer icon.
Open C:\
Right click somewhere in C:\ & go to New > Folder.
Name the folder AboutBuster, and unzip all files from the zip folder here. Do not run About:Buster yet.

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.

Next, go to Start->Run and type Services.msc then hit Ok
Scroll down and find the service called Network Security Service. When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

Make sure your computer is configured to show hidden files.
Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Options or Folder Options.
Click the View tab.
In the Advanced settings box, under the Hidden files folder, select Show all files.
Click Apply, and then click OK.

Close all browsers and windows (including this one). Scan with Hijack This and put checks in the boxes next to all the following lines, then click Fix Checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

R3 - Default URLSearchHook is missing

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
O2 - BHO: ICOO Loader BHO - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

O4 - HKLM\..\Run: [IEIZ.EXE] C:\WINDOWS\IEIZ.EXE
O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE
O4 - Startup: PowerReg Scheduler.exe


Reboot in Safe Mode:
From the Windows Start menu, go to Shut Down and click Restart.
As the computer restarts, press and hold the CTRL key.
(On some keyboards you can press and hold the flying Window key. On some computers, the F8 key can be used instead of the CTRL key.)
From the Windows Start-up menu, type the number for the Safe Mode option or press F5.

Once in Safe Mode, go to Add/Remove Programs.
Find ExactSearch or MySearch and hit Remove

Run About:Buster.
Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesn't it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Scan with About:Buster twice, and save both logs. Then hit exit.

Reboot normally.

Run HijackThis & post a new log here, along with the two logs from About:Buster.

#7 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 August 2004 - 01:40 AM

808chick,

After I reboot go to start->run type in Services.msc cannot locate file also tried a search for file. No luck??? I am posting log from adware scan.
THANKS AGAIN!


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, August 04, 2004 2:03:21 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R334 24.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R217 08.09.2003
Internal build : 107
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 574398 Bytes
Signature data size : 563299 Bytes
Reference data size : 11035 Bytes
Signatures total : 12937
Target categories : 10
Target families : 267
8-4-2004 1:50:26 AM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R334 24.07.2004
Internal build : 268
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1316091 Bytes
Signature data size : 1295051 Bytes
Reference data size : 20976 Bytes
Signatures total : 28648
Target categories : 10
Target families : 528

8-4-2004 1:53:46 AM Success.
Update successfully downlodaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:0 %
Total physical memory:130316 kb
Available physical memory:660 kb
Total page file size:1966832 kb
Available on page file:1809148 kb
Total virtual memory:2093056 kb
Available virtual memory:2047872 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


8-4-2004 2:03:21 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279218133
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294961485
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:3 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294959445
Threads : 2
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294841453
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:5 [netah32.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294898385
Threads : 1
Priority : Normal
FileSize : 9 KB
Created on : 7/17/2004 4:34:45 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:46 AM

#:6 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294888721
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:7 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294888381
Threads : 5
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft ® PCHealth
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:8 [devldr16.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294853785
Threads : 3
Priority : Normal
FileSize : 37 KB
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr16
InternalName : DevLdr
OriginalFilename : DevLdr16.exe
ProductName : Creative Ring3 NT Inteface
Created on : 11/29/2000 11:42:14 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/5/2000 6:32:08 PM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294953425
Threads : 20
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:10 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294715725
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:11 [em_exec.exe]
FilePath : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\
ProcessID : 4294712489
Threads : 2
Priority : Normal
FileSize : 33 KB
FileVersion : 9.01.78
ProductVersion : 9.01
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 11/29/2000 11:37:50 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 2/4/2000 1:01:00 PM

#:12 [navapw32.exe]
FilePath : C:\PROGRAM FILES\NORTON ANTIVIRUS\
ProcessID : 4294747317
Threads : 6
Priority : Normal
FileSize : 48 KB
FileVersion : 6.20.00.04
ProductVersion : 6.20.00.04
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.DLL
ProductName : Norton AntiVirus
Created on : 11/29/2000 11:46:37 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/6/2000 10:00:00 AM

#:13 [qttask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294745661
Threads : 2
Priority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
FileDescription : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 2/1/2004 7:45:31 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 2/1/2004 7:45:32 PM

#:14 [ieiz.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294643313
Threads : 1
Priority : Normal
FileSize : 26 KB
Created on : 7/17/2004 4:34:13 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:18 AM

#:15 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294666309
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:16 [qkshield.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294681781
Threads : 1
Priority : Normal
FileSize : 517 KB
FileVersion : 2.4.0.0
ProductVersion : 2.4.0.0
Copyright : Copyright
CompanyName : United Software
FileDescription : QuikShield
InternalName : QuikShield
OriginalFilename : qkshield.exe
ProductName : QuikShield
Created on : 7/18/2004 2:59:16 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/18/2004 2:58:54 AM

#:17 [money express.exe]
FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\
ProcessID : 4294691649
Threads : 4
Priority : Normal
FileSize : 172 KB
FileVersion : 9.00.0715
ProductVersion : 9.00.0715
Copyright : Copyright © Microsoft Corp. 1990-2000. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : MoneyExpress
OriginalFilename : MoneyExpress.EXE
ProductName : Microsoft Money
Created on : 7/19/2000 1:00:00 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/19/2000 1:00:00 PM

#:18 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294587033
Threads : 3
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 11/30/2002 10:44:26 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 10/30/2001 12:10:00 PM

#:19 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294426561
Threads : 5
Priority : Normal
FileSize : 27 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:20 [wuauclt.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294717157
Threads : 3
Priority : Idle
FileSize : 180 KB
FileVersion : 5.4.5681.0
ProductVersion : 5.4.5681.0
CompanyName : Microsoft Corporation
FileDescription : Microsoft AutoUpdate
InternalName : WUAUCLT.EXE
OriginalFilename : WUAUCLT.EXE
ProductName : Microsoft Windows Update - AutoUpdate feature
Created on : 3/8/2004 7:58:44 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 9/16/2002 1:37:16 PM

#:21 [hpzstatx.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294332825
Threads : 5
Priority : Normal
FileSize : 156 KB
FileVersion : 1.14.2000
ProductVersion : 1.14.2000
Copyright : Copyright 1999
CompanyName : Hewlett-Packard Company
FileDescription : DJStatusServer Module
InternalName : DJSTATUSSERVER
OriginalFilename : DJSTATUSSERVER.EXE
ProductName : DJStatusServer Module
Created on : 12/27/2000 12:59:13 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 4/7/2000 7:55:00 AM

#:22 [osa9.exe]
FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\
ProcessID : 4294452357
Threads : 1
Priority : Normal
FileSize : 64 KB
FileVersion : 9.0.3720
ProductVersion : 9.0.3720
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office 2000 component
InternalName : Osa
OriginalFilename : Osa.Exe
ProductName : Microsoft Office 2000
Created on : 8/10/2000 4:00:00 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 8/10/2000 4:00:00 PM

#:23 [osa9.exe]
FilePath : C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\
ProcessID : 4294397621
Threads : 1
Priority : Normal
FileSize : 64 KB
FileVersion : 9.0.3720
ProductVersion : 9.0.3720
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office 2000 component
InternalName : Osa
OriginalFilename : Osa.Exe
ProductName : Microsoft Office 2000
Created on : 8/10/2000 4:00:00 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 8/10/2000 4:00:00 PM

#:24 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294150029
Threads : 3
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:25 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294123253
Threads : 6
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:26 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294444001
Threads : 6
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:07:38 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 8/29/2002 11:07:38 AM

#:27 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294480977
Threads : 3
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:28 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294564473
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 8/4/2004 5:47:08 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}


Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 2
Objects found so far: 2


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://bunwc.dll/index.html#37794"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://bunwc.dll/index.html#37794"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://bunwc.dll/index.html#37794"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://bunwc.dll/index.html#37794"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://bunwc.dll/index.html#37794"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://bunwc.dll/index.html#37794"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://bunwc.dll/index.html#37794"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://bunwc.dll/index.html#37794"


Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Handler\icoo


Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D}


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 6
Objects found so far: 8


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : File
Data : bunwc.dll
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\
FileSize : 69 KB
Created on : 7/17/2004 4:34:57 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:35:06 AM



Tracking Cookie Object recognized!
Type : File
Data : default@gator[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\COOKIES\

Created on : 8/3/2004 7:22:41 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 8/3/2004 7:22:42 PM



Tracking Cookie Object recognized!
Type : File
Data : default@kelkoo.co[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\COOKIES\

Created on : 12/6/2003 5:32:56 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 12/6/2003 5:32:58 AM



CoolWebSearch Object recognized!
Type : File
Data : scanregw.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 7/17/2004 4:34:46 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:48 AM



CoolWebSearch Object recognized!
Type : File
Data : scanregw.exe.bak
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 18 KB
Created on : 7/17/2004 4:34:46 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:48 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 13


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Adverts


Win32.Adverts.TrojanDownloader Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : icoo


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 6
Objects found so far: 19


2:16:30 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:13:08:290
Objects scanned :126733
Objects identified :19
Objects ignored :0
New objects :19

#8 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 04 August 2004 - 05:38 AM

sas,
Please post your HijackThis log.

#9 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 04 August 2004 - 09:21 AM

808chick,

Here's the lastest scan logs.

Thanks,
Steve


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, August 04, 2004 11:37:51 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R217 08.09.2003
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R217 08.09.2003
Internal build : 107
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 574398 Bytes
Signature data size : 563299 Bytes
Reference data size : 11035 Bytes
Signatures total : 12937
Target categories : 10
Target families : 267

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:27 %
Total physical memory:130316 kb
Available physical memory:10356 kb
Total page file size:1966832 kb
Available on page file:1874868 kb
Total virtual memory:2093056 kb
Available virtual memory:2058304 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


8-4-2004 11:37:51 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279216985
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294962625
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294839757
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294838161
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:5 [netah32.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294877241
Threads : 1
Priority : Normal
FileSize : 9 KB
Created on : 7/17/2004 4:34:45 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:46 AM

#:6 [devldr16.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294878577
Threads : 3
Priority : Normal
FileSize : 37 KB
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr16
InternalName : DevLdr
OriginalFilename : DevLdr16.exe
ProductName : Creative Ring3 NT Inteface
Created on : 11/29/2000 11:42:14 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/5/2000 6:32:08 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294899021
Threads : 19
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:8 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294823161
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:9 [em_exec.exe]
FilePath : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\
ProcessID : 4294718453
Threads : 1
Priority : Normal
FileSize : 33 KB
FileVersion : 9.01.78
ProductVersion : 9.01
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 11/29/2000 11:37:50 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 2/4/2000 1:01:00 PM

#:10 [navapw32.exe]
FilePath : C:\PROGRAM FILES\NORTON ANTIVIRUS\
ProcessID : 4294804617
Threads : 6
Priority : Normal
FileSize : 48 KB
FileVersion : 6.20.00.04
ProductVersion : 6.20.00.04
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.DLL
ProductName : Norton AntiVirus
Created on : 11/29/2000 11:46:37 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/6/2000 10:00:00 AM

#:11 [qttask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294724885
Threads : 2
Priority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
FileDescription : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 2/1/2004 7:45:31 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 2/1/2004 7:45:32 PM

#:12 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294749417
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft ® PCHealth
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:13 [ieiz.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294758673
Threads : 1
Priority : Normal
FileSize : 26 KB
Created on : 7/17/2004 4:34:13 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/17/2004 4:34:18 AM

#:14 [qkshield.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294653341
Threads : 1
Priority : Normal
FileSize : 517 KB
FileVersion : 2.4.0.0
ProductVersion : 2.4.0.0
Copyright : Copyright
CompanyName : United Software
FileDescription : QuikShield
InternalName : QuikShield
OriginalFilename : qkshield.exe
ProductName : QuikShield
Created on : 7/18/2004 2:59:16 AM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/18/2004 2:58:54 AM

#:15 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294664529
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:16 [money express.exe]
FilePath : C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\
ProcessID : 4294678953
Threads : 4
Priority : Normal
FileSize : 172 KB
FileVersion : 9.00.0715
ProductVersion : 9.00.0715
Copyright : Copyright © Microsoft Corp. 1990-2000. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : MoneyExpress
OriginalFilename : MoneyExpress.EXE
ProductName : Microsoft Money
Created on : 7/19/2000 1:00:00 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/19/2000 1:00:00 PM

#:17 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294574937
Threads : 3
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 11/30/2002 10:44:26 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 10/30/2001 12:10:00 PM

#:18 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294685085
Threads : 3
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:19 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294637097
Threads : 2
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:20 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294516897
Threads : 5
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright © Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:21 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294485417
Threads : 5
Priority : Normal
FileSize : 27 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft® Windows® Millennium Operating System
Created on : 1/1/1601
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/8/2000 9:00:00 PM

#:22 [wuauclt.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294396249
Threads : 3
Priority : Idle
FileSize : 180 KB
FileVersion : 5.4.5681.0
ProductVersion : 5.4.5681.0
CompanyName : Microsoft Corporation
FileDescription : Microsoft AutoUpdate
InternalName : WUAUCLT.EXE
OriginalFilename : WUAUCLT.EXE
ProductName : Microsoft Windows Update - AutoUpdate feature
Created on : 3/8/2004 7:58:44 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 9/16/2002 1:37:16 PM

#:23 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294612057
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 8/4/2004 3:35:19 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

MySearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C1-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C2-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C3-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C5-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C7-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{014DA6CB-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{014DA6C4-189F-421A-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{014DA6C6-189F-421A-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{014DA6CA-189F-421A-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{014DA6CC-189F-421A-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.NetscapeShutdown


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.NetscapeShutdown.1


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.NetscapeStartup


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.NetscapeStartup.1


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.SettingsPlugin


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : MySearchToolBar.SettingsPlugin.1


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\My Search Uninstall


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\MySearch


MySearch Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{014DA6C0-189F-421A-88CD-07CFE51CFF10}


MySearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "MySearchToolBar.NetscapeShutdown.1"
Rootkey : HKEY_CURRENT_USER
Object : Software\Netscape\Netscape Navigator\Automation Shutdown
Value : MySearchToolBar.NetscapeShutdown.1


MySearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "MySearchToolBar.NetscapeStartup.1"
Rootkey : HKEY_CURRENT_USER
Object : Software\Netscape\Netscape Navigator\Automation Startup
Value : MySearchToolBar.NetscapeStartup.1


Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :


Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 25
Objects found so far: 25


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 25


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

MySearch Object recognized!
Type : File
Data : mysearchpluginproxy.class
Category : Misc
Comment :
Object : C:\Program Files\MySearch\bar\1.bin\

Created on : 6/4/2004 12:18:33 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/4/2004 12:18:34 PM



MySearch Object recognized!
Type : File
Data : s42ns.exe
Category : Misc
Comment :
Object : C:\Program Files\MySearch\bar\1.bin\
FileSize : 24 KB
Created on : 6/4/2004 12:18:33 PM
Last accessed : 8/4/2004 4:00:00 AM
Last modified : 6/4/2004 12:18:34 PM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 27


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

MySearch Object recognized!
Type : Folder
Category : Misc
Comment :
Object : c:\program files\MySearch


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 28


11:42:43 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:04:51:770
Objects scanned :112381
Objects identified :28
Objects ignored :0
New objects :28



Logfile of HijackThis v1.98.0
Scan saved at 11:48:48 AM, on 8/4/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\NETAH32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\IEIZ.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\QKSHIELD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [IEIZ.EXE] C:\WINDOWS\IEIZ.EXE
O4 - HKLM\..\Run: [QuikShield] qkshield.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas, 04 August 2004 - 10:58 AM.


#10 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 04 August 2004 - 08:25 PM

Hey Steve,
Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

Reboot to Safe Mode
How to start the computer in
Safe mode

Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Close all browsers and windows (including this one). Scan with Hijack This and put checks in the boxes next to all the following lines, then click Fix Checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bunwc.dll/index.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bunwc.dll/sp.html#37794
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bunwc.dll/index.html#37794

O2 - BHO: Class - {EC366D55-9B78-927C-0928-477053375DFF} - C:\WINDOWS\IEUF32.DLL

O4 - HKLM\..\Run: [IEIZ.EXE] C:\WINDOWS\IEIZ.EXE
O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE


You have PowerReg Scheduler in your log. This is a registration reminder that is used by a number of different companies. It is not needed and some people think that it reports back to the company about your computer, so I suggest fixing it.
O4 - Startup: PowerReg Scheduler.exe

Delete the following files/folders if present.
C:\WINDOWS\system\bunwc.dll
C:\WINDOWS\IEUF32.DLL
C:\WINDOWS\IEIZ.EXE
C:\WINDOWS\NETAH32.EXE

Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with Adaware and let it remove any bad files found.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin


Go to Start => Run and type in "regedit" (without quotes) and press "Enter".
One the registry opens, Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3
If __NS_Service_3 exists , right click on it and choose delete from the menu.
Still in the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3
If LEGACY___NS_Service_3 exists then right click on it and choose delete from the menu.
Exit regedit and reboot in Normal Mode.

Scan again with HijackThis and post a new log here (just a HijackThis log please :D ).

Finally, do an online scan HERE. Let it remove any infected files found.

Replace Deleted Files
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

Edited by 808chick, 04 August 2004 - 08:33 PM.


#11 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 05 August 2004 - 02:02 AM

808chick,

I followed your latest instructions all the way down to the housecall scan. The scan detected 3 files infected with trojan. When I try to delete the files I get a message - unable to clean the file c:\restore\archive\FS6638.CAB because it is currently in use. In the scan register it also has items marked can not access.
I failed to save the aboutbuster log :blush:.
Posting hijackthis log.
The great news :thumbsup:, I have my home page back,thanks.

Logfile of HijackThis v1.98.0
Scan saved at 12:03:40 AM, on 8/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\QKSHIELD.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [clockplugin] C:\Windows\Pluglns\clock.exe
O4 - HKLM\..\Run: [QuikShield] qkshield.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Edited by sas, 05 August 2004 - 02:03 AM.


#12 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 05 August 2004 - 07:44 AM

Hey Steve,
That's good to hear, glad we could help! :D
Here are some steps to avoid reinfection:
Read How did I get infected in the first place?

Download and install the following programs (all are free):
Spyware Blaster - SpywareBlaster will prevent spyware from being installed and consumes no system resources.
Spyware Guard - SpywareGuard v2.2.0 provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
IE-SPYAD - IE-SPYAD places over 4000 websites and domains in the IE Restricted list which will several impair attempts to infect your system.

Install a firewall, such as Zone Alarm

And always remember to update Windows & Internet Explorer.

#13 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 05 August 2004 - 11:24 AM

808chick,

Just a couple more questions please. I could not link to the site to replace my deleted files from the post. What do I need to do about the 3 infected files (trojon) that I mentioned in the post above. Do I need to purchase a real time virus blocker(If yes; any suggestion on which one).Finally coulp you reccommend a spam/pop-up blocker are am I alredy set up with the files you had me download( I currently keep receiving a pop-up for quick shield)
Thanks for your patience and help!!! All of this info. has been a little mind-boggleing but I feel I have learned from your advice and help.

BIG THANKS :thumbsup:

#14 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 05 August 2004 - 08:23 PM

Which of the links could you not use? Or was it all of them? Just wondering because they just worked for me. The 'Hoster' link goes directly into a download (zip file), and the control.exe & SdHelper.dll go to Merijn's site.
For your trojans, try this online scan: Panda Active Scan. If you are still having trouble with those Trojans, try Trojan Hunter (it has a free trial).
What kind of anti-virus are you running? I recommend AVG, with a2.
For a pop-up blocker, you can download the Google toolbar, or just switch internet browsers to Mozilla Firefox, which has a built in pop-up blocker.

#15 sas

sas

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 05 August 2004 - 10:04 PM

808chick,
The link is working now. the only one I could not get to link was merlin.
Came up cannot display page, must have been a server problem or something, I tried it about half dozen times last nite.
:D :D :D THANKS AGAIN :D :D :D

STEVE (SOUTH CAROLINA)

Edited by sas, 05 August 2004 - 10:07 PM.


#16 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 06 August 2004 - 12:25 AM

No problem
Merijn's site is sometimes under attack, that might explain why you were not able to get in earlier.

#17 808chick

808chick

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 262 posts

Posted 11 August 2004 - 08:38 PM

***

Edited by 808chick, 11 August 2004 - 08:38 PM.


#18 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 04 October 2004 - 07:53 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button