Jump to content


Photo

Tried Everything


  • This topic is locked This topic is locked
10 replies to this topic

#1 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 May 2004 - 05:52 PM

Need help here, please. I've tried Shredder, I have Webroot Spysweeper, I've tried Bazooka and run McAfee virus scan. Diddled with RegEdit an d tried to identify specific files to remove, but I can't quite eliminate the problem, especially on start-up. Here is my Hikack log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NYBOT\VPN\cvpnd.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.203.0\QOELoader.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\NYBOT\VPN\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8039.5012152778
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab

#2 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 May 2004 - 11:28 AM

Hi,
Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

Close all open windows, except for HijackThis place a check in each
of the following, then click "Fix checked".

R3 - Default URLSearchHook is missing
O1 - Hosts: 207.36.196.189 ieautosearch
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab


Reboot and then ...

Download the latest version of Ad-Aware:
http://www.lavasoft....ftware/adaware/

After installing AAW, and before running the program.

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh (complete) log ...
You're missing the top part ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#3 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 May 2004 - 09:17 PM

Ok, I followed your instructions and here is the new log:

Logfile of HijackThis v1.97.7
Scan saved at 10:09:34 PM, on 5/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NYBOT\VPN\cvpnd.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Qurb\QSP-2.1.213.0\QOELoader.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.0\QOELoader.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\NYBOT\VPN\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8039.5012152778
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 17 May 2004 - 10:29 PM

Hi,
Start | Run (paste the below) click Ok

regedit /e c:\export.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian"


Paste the contents of "export.txt" into your next post, along with the following:

Paste the below into IE's Address Bar, press "Go" or hit Enter

java script:navigator.userAgent


Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 18 May 2004 - 09:50 PM

Here is the Java.Navigator result:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {439855C2-7F23-41AA-A3EE-4222C90A7C07})


However, when I pasted the regedit command in the Run dailog box, nothing happended. Did I do something wrong?

Thanks again for your help.

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 19 May 2004 - 02:50 AM

Hi,
Download: VX2Finder
http://tools.zerosre...m/VX2Finder.exe

Double-click to run, once open ...
Click "Click to Find ..." button
Next click the "Make Log" button
Note: generates "Vx2.log" paste the contents in next post.

Next click "Delete these files" button.
Note: you will be left with notice about one to be deleted on reboot.
It will ask to reboot on deletion of the last file (do that).

After reboot, delete Guardian key & User Agent Key

Go to Start | Run (type) "regedit" (no quotes)
Navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Guardian]


Right-click the Guardian key (left pane) and delete.

Note: if unable to delete:
Right-click the Guardian key (left pane)
Select Permissions > Advanced
Uncheck: "Inherit permissions from parent...."
Note: if prompted by a dialog box, click Remove
Exit Regedit and reboot.

Now navigate back to that same Guardian key and recheck that same "inherit permissions from parent..." box.

Then right-click on Guardian again and select delete.

Now navigate to:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

Highlight this entry (right pane) {439855C2-7F23-41AA-A3EE-4222C90A7C07}
Right-click and select: Delete, close Regedit and reboot.

On reboot test the "user Agent" again, paste the below into the IE Address Bar.

java script:navigator.userAgent


You should see:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

After the above ... update and run Ad-Aware and then post a fresh log.

Edited by WinHelp2002, 19 May 2004 - 02:52 AM.

Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 19 May 2004 - 10:47 PM

ok, it did not work, I was left with one file. Here are the logs:

1st time:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\3aViewer.dll
C:\WINDOWS\System32\3bViewer.dll
C:\WINDOWS\System32\3cViewer.dll
C:\WINDOWS\System32\3eViewer.dll
C:\WINDOWS\System32\3fViewer.dll
C:\WINDOWS\System32\3lViewer.dll
C:\WINDOWS\System32\3mViewer.dll
C:\WINDOWS\System32\3oViewer.dll
C:\WINDOWS\System32\3pViewer.dll
C:\WINDOWS\System32\3qViewer.dll
C:\WINDOWS\System32\3tViewer.dll
C:\WINDOWS\System32\3uViewer.dll
C:\WINDOWS\System32\3xViewer.dll
C:\WINDOWS\System32\3yViewer.dll
C:\WINDOWS\System32\3zViewer.dll
C:\WINDOWS\System32\aad.dll
C:\WINDOWS\System32\aoctres.dll
C:\WINDOWS\System32\arsldpc.dll
C:\WINDOWS\System32\arsnt.dll
C:\WINDOWS\System32\artiveds.dll
C:\WINDOWS\System32\aului.dll
C:\WINDOWS\System32\ayd.dll


Guardian Key--- is called: GuardianBSRUH
Asynchronous 000
DllName C:\WINDOWS\system32\arsldpc.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {439855C2-7F23-41AA-A3EE-4222C90A7C07}
IDex DS3

User Agent String---
{439855C2-7F23-41AA-A3EE-4222C90A7C07}

After this I was left with one.dll which VX2 Finder said it could not remove: arsldpc.dll

I rebooted, ran javascript, and still saw the same bad stuff,
I ran VX2 Finder again, which found 2 files, ars..., being one. the other I removed. On reboot, I ran VX2 again and this is the log:

Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6ao4svc.dll
C:\WINDOWS\System32\arsldpc.dll


Guardian Key--- is called: GuardianNFFCO
Asynchronous 000
DllName C:\WINDOWS\system32\arsldpc.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {439855C2-7F23-41AA-A3EE-4222C90A7C07}
IDex DS3

User Agent String---
{439855C2-7F23-41AA-A3EE-4222C90A7C07}

By the way I did the Regedit, and upon reboot found the Guardian file back as well as the other. I tried manually removing the arsl... file, no luck, system said it was in use, and Icould not find it in Task manager, etc.-

Here is my final javascript log:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {439855C2-7F23-41AA-A3EE-4222C90A7C07}

So now what?

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 20 May 2004 - 05:35 AM

Dan,

which VX2 Finder said it could not remove: arsldpc.dll

When you run Vx2Finder did you see a message about:

one to be deleted on reboot

Where "one" should have been "arsldpc.dll"

I rebooted, ran javascript, and still saw the same bad stuff

On reboot run Vx2Finder and use the buttons on the right side to remove the "userAgent", the hit the "Guardian reg" button, and finally the "Restore Policy" button and reboot.

Note: the "Guardian" key in the Registry is morphing on each restart.
You can not delete the main culprit "arsldpc.dll" from within Windows. Vx2Finder is the only known safe method for removing Look2ME. Their methods change all the time ... as soon as a method of removal is discovered, L2M changes how their files or Registry entries act, so it's hard to keep up.

Perhaps try the above steps in Safe Mode?
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#9 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 May 2004 - 07:49 PM

I tried the safe mode removal yesterday and I tried again today, no luck. VX Finder does not say "one to be deleted on reboot", it just says "cannot delete this one" referring of course to arsldpc.dll. I can see the buttons on the side and used them in the sequence you suggested, but no luck. What's next? Am I going to have tyo wipe my harddrive, or re-install XP? How about a system restore to a date prior to the infection?

#10 dannyboy

dannyboy

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 20 May 2004 - 09:12 PM

Here's the Adaware Post:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, May 20, 2004 9:39:33 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R306 19.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R304 16.05.2004
Internal build : 236
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1116816 Bytes
Signature data size : 1098071 Bytes
Reference data size : 18681 Bytes
Signatures total : 24559
Target categories : 10
Target families : 469
5-20-2004 9:39:19 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R306 19.05.2004
Internal build : 238
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1130501 Bytes
Signature data size : 1111499 Bytes
Reference data size : 18938 Bytes
Signatures total : 24860
Target categories : 10
Target families : 476

5-20-2004 9:39:24 PM Success.
Update successfully downlodaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:59 %
Total physical memory:515604 kb
Available physical memory:300140 kb
Total page file size:1260204 kb
Available on page file:1090976 kb
Total virtual memory:2097024 kb
Available virtual memory:2050548 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


5-20-2004 9:39:33 PM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-21-2004 1:37:10 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 1:37:16 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 1:37:16 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:09 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 1:37:16 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:04 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 1:37:17 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:10 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 1:37:17 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:10 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-21-2004 1:37:19 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:10 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-21-2004 1:37:19 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/14/2003 2:58:01 AM
Last accessed : 5/21/2004 1:37:33 AM
Last modified : 8/29/2002 12:00:00 PM

#:9 [cvpnd.exe]
FilePath : C:\Program Files\NYBOT\VPN\
ThreadCreationTime : 5-21-2004 1:37:20 AM
BasePriority : Normal
FileSize : 1260 KB
FileVersion : 3.6.4 (Rel)
ProductVersion : 3.6.4 (Rel)
Copyright : Copyright
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
OriginalFilename : CVPND.EXE
ProductName : Cisco Systems VPN Client
Created on : 3/4/2004 4:50:29 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 3/26/2003 7:56:28 PM

#:10 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-21-2004 1:37:21 AM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 2/23/2004 5:58:14 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/8/2003 11:04:38 PM

#:11 [scsiaccess.exe]
FilePath : C:\Program Files\Photodex\ProShowGold\
ThreadCreationTime : 5-21-2004 1:37:21 AM
BasePriority : Normal
FileSize : 177 KB
Created on : 4/16/2004 11:04:44 PM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 4/16/2004 11:04:44 PM

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 1:37:22 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/14/2003 2:58:10 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/29/2002 12:00:00 PM

#:13 [brmfrsmg.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 1:37:23 AM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 1.45.15.340
ProductVersion : 1.45.15.340
Copyright : Copyright © 1996-2001 Brother Industries, Ltd.
CompanyName : Brother Industries, Ltd.
FileDescription : Brother MFL Pro Resource Manager
InternalName : BrmfRsmg for Windows2000
OriginalFilename : BrmfRsmg.exe
ProductName : Brother MFL Pro
Created on : 2/27/2004 1:59:43 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 8/18/2001 3:36:38 AM

#:14 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-21-2004 1:37:25 AM
BasePriority : High
FileSize : 220 KB
Created on : 2/23/2004 5:58:13 AM
Last accessed : 5/21/2004 1:26:00 AM
Last modified : 3/13/2002 1:50:34 PM

#:15 [ezsp_px.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 1:37:37 AM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright © 2002 Easy Systems Japan Ltd.
CompanyName : Easy Systems Japan Ltd.
FileDescription : ezSP_Px MFC Application
InternalName : ezSP_Px
OriginalFilename : ezSP_Px.EXE
ProductName : ezSP_Px Application
Created on : 8/15/2003 7:23:15 PM
Last accessed : 5/21/2004 1:37:37 AM
Last modified : 8/20/2002 5:29:26 PM

#:16 [tgcmd.exe]
FilePath : C:\program files\support.com\client\bin\
ThreadCreationTime : 5-21-2004 1:37:39 AM
BasePriority : Normal
FileSize : 1376 KB
FileVersion : 5,0,433,0
ProductVersion : 5,0,433,0
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : tgcmd Module
InternalName : TGCMD
OriginalFilename : TGCMD.DLL
ProductName : tgcmd Module
Created on : 4/12/2002 10:02:11 PM
Last accessed : 5/21/2004 1:37:39 AM
Last modified : 6/24/2003 12:32:54 AM

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-21-2004 1:37:42 AM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 8/14/2003 2:59:46 AM
Last accessed : 5/21/2004 1:37:42 AM
Last modified : 4/7/2003 7:07:38 AM

#:18 [agrsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-21-2004 1:37:43 AM
BasePriority : Normal
FileSize : 86 KB
FileVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
ProductVersion : 2.1.25 2.1.25 02/14/2003 11:58:58
Copyright : Copyright
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : Agere SoftModem Messaging Applet
Created on : 8/14/2003 2:59:11 AM
Last accessed : 5/21/2004 1:37:43 AM
Last modified : 2/14/2003 7:59:00 PM

#:19 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ThreadCreationTime : 5-21-2004 1:37:45 AM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 2/23/2004 5:58:14 AM
Last accessed : 5/21/2004 1:38:09 AM
Last modified : 8/18/2003 2:50:34 AM

#:20 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ThreadCreationTime : 5-21-2004 1:37:45 AM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 5/12/2004 1:02:05 AM
Last accessed : 5/21/2004 1:38:09 AM
Last modified : 12/8/2003 7:38:52 PM

#:21 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ThreadCreationTime : 5-21-2004 1:37:46 AM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 2/23/2004 5:58:18 AM
Last accessed : 5/21/2004 1:26:31 AM
Last modified : 9/28/2003 6:47:00 PM

#:22 [directcd.exe]
FilePath : C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 5-21-2004 1:37:48 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright © 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 1/11/2001 10:00:00 AM
Last accessed : 5/21/2004 1:37:48 AM
Last modified : 2/25/2004 3:13:07 AM

#:23 [pptd40nt.exe]
FilePath : C:\progra~1\scansoft\paperp~1\
ThreadCreationTime : 5-21-2004 1:37:49 AM
BasePriority : Normal
FileSize : 26 KB
FileVersion : 6.5
ProductVersion : 6.5
Copyright : Copyright
CompanyName : Scansoft Inc.
FileDescription : PaperPort Print to Desktop for NT
InternalName : PPTD40NT
OriginalFilename : PPTD40NT.EXE
ProductName : PaperPort
Created on : 2/27/2004 2:11:25 AM
Last accessed : 5/21/2004 1:37:49 AM
Last modified : 4/2/2001 2:40:46 PM

#:24 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 5-21-2004 1:37:49 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 2/27/2004 2:51:41 AM
Last accessed : 5/21/2004 1:37:49 AM
Last modified : 1/26/2004 3:46:48 PM

#:25 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-21-2004 1:37:50 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.20.0107
ProductVersion : 8.20.0107
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 2/27/2004 2:51:40 AM
Last accessed : 5/21/2004 1:37:50 AM
Last modified : 1/26/2004 3:46:48 PM

#:26 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ThreadCreationTime : 5-21-2004 1:37:52 AM
BasePriority : Normal
FileSize : 280 KB
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
OriginalFilename : iTunesHelper.exe
ProductName : iTunes
Created on : 4/21/2004 3:28:18 PM
Last accessed : 5/21/2004 1:37:52 AM
Last modified : 4/21/2004 3:28:18 PM

#:27 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 5-21-2004 1:37:53 AM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 8/15/2003 7:23:02 PM
Last accessed : 5/21/2004 1:37:53 AM
Last modified : 5/3/2004 12:38:46 AM

#:28 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ThreadCreationTime : 5-21-2004 1:37:54 AM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 6.00.3215.0
ProductVersion : 6.00.3215.0
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkUFind
OriginalFilename : WkUFind.exe
ProductName : Microsoft
Created on : 5/3/2004 1:44:47 AM
Last accessed : 5/21/2004 1:37:54 AM
Last modified : 8/17/2001 3:41:58 AM

#:29 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 5-21-2004 1:37:54 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 3:44:46 AM
Last accessed : 5/21/2004 1:37:54 AM
Last modified : 2/23/2004 3:44:44 AM

#:30 [qoeloader.exe]
FilePath : C:\Program Files\Qurb\QSP-2.1.213.0\
ThreadCreationTime : 5-21-2004 1:37:55 AM
BasePriority : Normal
FileSize : 6 KB
FileVersion : 2.1.213.0
ProductVersion : 2.1.213.0
Copyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
OriginalFilename : QOELoader.exe
ProductName : QOELoader Application
Created on : 5/17/2004 3:27:26 AM
Last accessed : 5/21/2004 1:37:55 AM
Last modified : 5/17/2004 3:27:26 AM

#:31 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 5-21-2004 1:37:56 AM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 4.5.0.31
ProductVersion : 4.5.0.31
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.exe
ProductName : iTunes
Created on : 4/21/2004 3:28:04 PM
Last accessed : 5/21/2004 1:26:31 AM
Last modified : 4/21/2004 3:28:04 PM

#:32 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 5-21-2004 1:37:56 AM
BasePriority : Normal
FileSize : 1476 KB
FileVersion : 4.7.0041
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2001
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 8/14/2003 3:06:17 AM
Last accessed : 5/21/2004 1:37:56 AM
Last modified : 8/20/2002 10:08:38 PM

#:33 [aim.exe]
FilePath : C:\PROGRA~1\AIM\
ThreadCreationTime : 5-21-2004 1:37:57 AM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.5.3572
ProductVersion : 5.5.3572
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
OriginalFilename : AIM.EXE
ProductName : AOL Instant Messenger
Created on : 3/8/2004 3:02:16 AM
Last accessed : 5/21/2004 1:38:21 AM
Last modified : 2/4/2004 8:29:24 PM

#:34 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 5-21-2004 1:37:59 AM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright © 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 5/12/2004 2:04:35 AM
Last accessed : 5/21/2004 1:37:59 AM
Last modified : 2/25/2004 3:48:26 PM

#:35 [mcvsftsn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ThreadCreationTime : 5-21-2004 1:38:20 AM
BasePriority : Normal
FileSize : 216 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Instant Messenger Scan Module
InternalName : mcvsftsn
OriginalFilename : mcvsftsn.EXE
ProductName : McAfee VirusScan
Created on : 2/23/2004 5:58:20 AM
Last accessed : 5/21/2004 1:27:01 AM
Last modified : 9/29/2003 8:38:16 PM

#:36 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-21-2004 1:39:05 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/18/2004 1:48:07 AM
Last accessed : 5/21/2004 1:39:05 AM
Last modified : 7/13/2003 1:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : danny@cgi-bin[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Danny\Cookies\

Created on : 5/20/2004 2:56:55 AM
Last accessed : 5/21/2004 1:21:12 AM
Last modified : 5/21/2004 1:21:12 AM



WinTools.websearch Object recognized!
Type : File
Data : wtoolsb.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\
FileSize : 168 KB
Created on : 5/12/2004 2:46:47 AM
Last accessed : 5/21/2004 1:48:39 AM
Last modified : 5/7/2004 8:28:14 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 2


Deep scanning and examining files (D:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Disk scan result for D:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 2


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Warning!
Bad hosts file entry:207.36.196.189:ieautosearch


RCPrograms Object recognized!
Type : Hosts file
Data : 207.36.196.189
Category : Misc
Comment : Possible Hosts File Hijack
Bad Hostfile entry : 207.36.196.189:ieautosearch


Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
12 entries scanned.
New objects :1
Objects found so far: 3




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 3


9:48:44 PM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:09:10:516
Objects scanned :148991
Objects identified :3
Objects ignored :0
New objects :3

#11 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 21 May 2004 - 04:37 AM

Hi,
There is a couple of minor things I see in your Ad-Aware log.

WinTools.websearch Object recognized!
Type : File
Data : wtoolsb.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\

Restart in Safe Mode, open Windows Explorer to:

C:\WINDOWS\Temp

Delete the entire contents of that folder.

Next, Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Note: those are two different "temp" folders.

RCPrograms Object recognized!
Type : Hosts file


Download my HOSTS file (see below) then use the batch file on my site to "lock" the file. Then scroll down to the "Related Utilities" section and install both programs, set WinPatrol to "monitor" the HOSTS file. This should notify you of any changes.

I'm checking into the Vx2 Finder problem, I'll get back to you shortly.

Note: a "re-install" of XP over itself will not help, nor will a "System Restore".
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button