Jump to content


Photo

50 free Megs Webspace* for whoever can help me...


  • This topic is locked This topic is locked
19 replies to this topic

#1 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:20 PM

i have posted mant times before i will post here again in 2 mins with my startup list and HJT Log







*= For 2 months cPanel ad free then with adds (1 banner or google addwords)

#2 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:24 PM

i am constaly reinfected with the searchx trojan... somewhere between boot and opening yahoo browser (a moded version of internet explorer by Yahoo!)

Startup Log:
StartupList report, 5/24/2004, 7:57:12 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Ron Lewis\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Dudebox\dudemgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\YAHOO!\PARENT~1\YPC.EXE
C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Ron Lewis\Desktop\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ron Lewis\Start Menu\Programs\Startup]
Dudebox Manager.lnk = C:\Program Files\Dudebox\dudemgr.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

USRpdA = C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe
MMTray = C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
mmtask = C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
IPInSightMonitor 01 = "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
PestPatrol Control Center = C:\PROGRA~1\PESTPA~1\PPControl.exe
PPMemCheck = C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
CookiePatrol = C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
PestPatrolCL = C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
KeyPatrol = C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
THGuard = "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
YPC = C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\WINDOWS\System32\akb.dll (file missing) - {B5969F86-1BF1-4F85-9D5B-09DAA4909E47}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HPFRU Task #Hewlett-Packard#hp officejet 7100 series#1080273865.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[SysProWmi Class]
InProcServer32 = C:\WINDOWS\System32\Dell\SystemProfiler\SysPro.ocx
CODEBASE = http://support.dell....iler/SysPro.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[yucsetreg Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yucconfig.dll
CODEBASE = C:\Program Files\Yahoo!\common\yucconfig.dll

[YInstStarter Class]
InProcServer32 = C:\Program Files\Yahoo!\common\yinsthelper.dll
CODEBASE = http://download.yaho...s/yinst0401.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[InstallShield Setup Player 2K2]
CODEBASE = http://www.napster.c...lient/setup.exe

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8117.8271064815

[YahooYMailTo Class]
InProcServer32 = C:\Program Files\Yahoo!\common\ymmapi.dll
CODEBASE = http://download.yaho...mail/ymmapi.dll

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[MMRadioHostX Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MMRadioHostX.dll
CODEBASE = http://wwws.musicmat...er/MMLRadio.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: YPCLSP.dll (file MISSING)
Protocol #2: YPCLSP.dll (file MISSING)
Protocol #3: YPCLSP.dll (file MISSING)
Protocol #17: YPCLSP.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,100 bytes
Report generated in 1.292 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
-----end startup log-----

#3 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:24 PM

hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 8:02:10 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Dudebox\dudemgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\YAHOO!\PARENT~1\YPC.EXE
C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Ron Lewis\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B5969F86-1BF1-4F85-9D5B-09DAA4909E47} - C:\WINDOWS\System32\akb.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Dudebox Manager.lnk = C:\Program Files\Dudebox\dudemgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MUSICMATCH MX Web Player (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8117.8271064815
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - [URL=http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab]http://wwws.musicmatch.com/graphics/WebPlayer

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 26 May 2004 - 11:37 PM

Download, Find-All.zip:
http://freeatlast.10...om/Find-All.zip
*UNzip it to a normal path.

DoubleClick on the 'Find-All.cmd' file,
follow instructions and post the log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:42 PM

Download, Find-All.zip:
http://freeatlast.10...om/Find-All.zip
*UNzip it to a normal path.

DoubleClick on the 'Find-All.cmd' file,
follow instructions and post the log!

i get a 404

#6 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:44 PM

sory nvm that was YPC I Disabled it

#7 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:53 PM

WOW This log program takes a long time

#8 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 12:17 AM

Yay it finaly Finshed...
Soooooo Heres my log:
--==***@@@ 'FIND-ALL' VERSION 8.1 -5/27 @@@***==--


Wed May 26 22:14:45 2004 -- ++Results:
╗╗System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HP_PAVILION" (2D6C:07D4) - FS:FAT clusters:16k
Total: 39 995 916 288 [37G] - Free: 25 675 104 256 [24G]


╗╗IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

╗╗Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
Defaults: "A" ;"R"
A R C:\Program Files\google\GoogleToolbar2.dll

╗╗UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


╗╗Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

╗╗M$Java version:


╗╗PC uptime:
10:14pm up 0 days, 7:33

╗╗Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error


╗╗Tasks (services):
0 System Process
4 System
424 SMSS.EXE
488 CSRSS.EXE Title:
512 WINLOGON.EXE Title: NetDDE Agent
572 SERVICES.EXE Svcs: Eventlog,PlugPlay
584 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
776 SVCHOST.EXE Svcs: RpcSs
880 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,seclogon,SEN
,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,wu
userv,WZCSVC
1020 SVCHOST.EXE Svcs: Dnscache
1064 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1204 CCSETMGR.EXE Svcs: ccSetMgr
1236 CCEVTMGR.EXE Svcs: ccEvtMgr
1628 SPOOLSV.EXE Svcs: Spooler
1924 EXPLORER.EXE Title: Program Manager
160 NAVAPSVC.EXE Svcs: navapsvc
224 NPROTECT.EXE Svcs: NProtectService
464 SVCHOST.EXE Svcs: stisvc
1012 SYMLCSVC.EXE Svcs: Symantec Core LC
1216 USRMLNKA.EXE
1384 hpgs2wnd.exe Title: HPGS2WND_WINDOW
1408 Directcd.exe Title: DirectCD
1436 ybrwicon.exe Title: ybrwicon
1472 mm_tray.exe Title: Music Match Tray Applet
1488 realsched.exe Title: Notification Wnd for RNAdmin
1512 ccApp.exe Title: Norton AntiVirus
1536 hpgs2wnf.exe Title: OleMainThreadWndName
1580 mmtask.exe Title: OleMainThreadWndName
908 PPControl.exe Title: ppct_st
1736 ycommon.exe Title: OleMainThreadWndName
1740 USRshutA.exe Title:
1772 PPMemCheck.exe Title: PPMEM_SysTray
1808 CookiePatrol.execpclass13Title: cpclass13
1916 USRMLNKA.EXE
2064 THGuard.exe Title:
2144 TeaTimer.exe Title: Spybot-S&D Resident
2492 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter
2552 hpogrp07.exe Title:
2664 dudemgr.exe Title: Layered Hidden Window
3024 ypc.exe Title: SBC Yahoo! Parental Controls
3424 hpoevm07.exe Title:
3436 YPCSER~1.EXE Svcs: YPCService
3708 hpoipm07.exe Title: Port hpoipm07.exe
4016 SAVScan.exe Svcs: SAVScan
1948 hpOSTS07.exe Title:
272 YPager.exe Title:
1504 YBrowser.exe Title: SWI Forums -> Malware Removal
2488 EXPLORER.EXE Title: C:\Junk\Find-All
868 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3624 ntvdm.exe
1164 msmsgs.exe Title:
444 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5969F86-1BF1-4F85-9D5B-09DAA4909E47}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{EED795AF-73BD-4219-B9B8-9F50E74C0B5B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{EED795AF-73BD-4219-B9B8-9F50E74C0B5B}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Group/user settings:


User: [LEWIS\Ron Lewis], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group LEWIS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ACLs list:
C:\Junk No permissions are set. All user have full control.
C:\junk\Find-All No permissions are set. All user have full control.

╗╗Contents of file(s) in 'junk' folder:
Find-All

╗╗Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
╗╗Rehash:

Wed May 26 22:15:07 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\Junk\Find-All\winBackup.hiv
A C:\Junk\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#9 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 12:21 AM

i have to go for the night but ill be back tommarow.

#10 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 12:38 AM

FIRST:
*Download the 'Find-All' again!!!
It will not run properly with your current configurations.
Delete the old copy, run Find-All.cmd.
When done, close the log and proceed with the following:



╗╗Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error


Here is the villain.

Next,
Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

-RightClick on the Windows Subfolder,
And rename Windows as Windows1

-Locate "AppInit_DLLs" value on the right
pane, RightClick it and select 'delete'

-Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

-Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

-Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ CTLO.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.


Lastly,
Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
*Restore your key &Security
back to defaults
*Reset permissions on the junkxxx\*.dll moved file
*Create zipped copy in the same folder: "junkxxx.zip"
*Open your email client with given addressese for submission!

--Drag the 'junkxxx.zip' to the email field and submit the
attachment to the specified addressese, ! , thanks

Delete the "junkxxx.zip" and the C:\'junkxxx' Subfolder when done!

To fix all other related problems you need to scan
witrh dedicated tools::
1.) CWShredder-> fix all!
2.) Ad-Aware6!, using the latest reference file! Select
the cusomise options,
select your drive, scan and fix all it finds.

All required links in the FAQs &Downloads.

When done with all, post fresh hijackthis log!
Good luck ;)

Edited by freeatlast, 27 May 2004 - 01:11 AM.

Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#11 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 11:01 AM

Here is the villain.

Next,
Your Windows registry is set  to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

I Dont have Window$ NT On my computer could that be a problem?

Edited by chris22, 27 May 2004 - 11:02 AM.


#12 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 11:29 AM

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Thu May 27 09:18:50 2004 -- ++Results:
╗╗System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "HP_PAVILION" (2D6C:07D4) - FS:FAT clusters:16k
Total: 39 995 916 288 [37G] - Free: 25 891 274 752 [24G]


╗╗IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

╗╗Google Toolbar version and Attributes:
2.0.111.0 C:\Program Files\google\googletoolbar2.dll
Defaults: "A" ;"R"
A R C:\Program Files\google\GoogleToolbar2.dll

╗╗UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"YPC 3.0.3"="Yahoo! Parental Controls"


╗╗Wmplayer version:
9.0.0.2980 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

╗╗M$Java version:


╗╗PC uptime:
9:18am up 0 days, 10:29

╗╗Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error
\\?\C:\WINDOWS\System32\CTLO.DLL +++ File read error


╗╗Tasks (services):
0 System Process
4 System
424 SMSS.EXE
488 CSRSS.EXE Title:
512 WINLOGON.EXE Title: NetDDE Agent
572 SERVICES.EXE Svcs: Eventlog,PlugPlay
584 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
780 SVCHOST.EXE Svcs: RpcSs
884 SVCHOST.EXE Svcs: AudioSrv,Browser,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,
elpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,seclogon,SEN
,ShellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,wu
userv,WZCSVC
1032 SVCHOST.EXE Svcs: Dnscache
1044 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
1152 CCSETMGR.EXE Svcs: ccSetMgr
1192 CCEVTMGR.EXE Svcs: ccEvtMgr
1356 SPOOLSV.EXE Svcs: Spooler
1764 NAVAPSVC.EXE Svcs: navapsvc
1828 NPROTECT.EXE Svcs: NProtectService
1992 SVCHOST.EXE Svcs: stisvc
232 SYMLCSVC.EXE Svcs: Symantec Core LC
440 SAVSCAN.EXE Svcs: SAVScan
868 EXPLORER.EXE Title: Program Manager
1372 USRmlnkA.exe
1564 hpgs2wnd.exe Title: HPGS2WND_WINDOW
1092 Directcd.exe Title: DirectCD
1684 ybrwicon.exe Title: ybrwicon
1056 hpgs2wnf.exe Title: OleMainThreadWndName
1980 USRshutA.exe Title:
1924 USRmlnkA.exe
1608 mm_tray.exe Title: Music Match Tray Applet
912 realsched.exe Title: Notification Wnd for RNAdmin
1528 ccApp.exe Title: Norton AntiVirus
1000 ycommon.exe Title: OleMainThreadWndName
1016 mmtask.exe Title: OleMainThreadWndName
1720 PPControl.exe Title: ppct_st
2112 PPMemCheck.exe Title: PPMEM_SysTray
2184 CookiePatrol.execpclass13Title: cpclass13
2336 THGuard.exe Title:
2456 TeaTimer.exe Title: Spybot-S&D Resident
2580 OLFSNT40.EXE Title: Symantec Fax Starter Edition Port Starter
2612 HPOGRP07.EXE Title:
2708 DUDEMGR.EXE Title: Layered Hidden Window
3052 ypc.exe Title: SBC Yahoo! Parental Controls
3156 YPCSER~1.EXE Svcs: YPCService
3292 hpoevm07.exe Title:
3420 hpoipm07.exe Title: Port hpoipm07.exe
3676 hpOSTS07.exe Title:
3684 hpOFXM07.exe Title:
4012 YBrowser.exe Title: SWI Forums -> Editing Post 50 free Megs Webspace* for whoever can help me...
3924 EXPLORER.EXE Title: C:\Junk\Find-All
1660 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
1136 ntvdm.exe
2772 MSMSGS.EXE Title:
4036 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"AppInit_DLLs"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B5969F86-1BF1-4F85-9D5B-09DAA4909E47}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B603C4FA-E761-4967-AB0D-FD5C7F25A6B2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]
"CLSID"="{BC697565-6AE3-4F7C-8601-D1A229B3FB47}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]
"CLSID"="{BC697565-6AE3-4F7C-8601-D1A229B3FB47}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



╗╗Group/user settings:


User: [LEWIS\Ron Lewis], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group LEWIS\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.


╗╗Contents of file(s) in 'junk' folder:

╗╗Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
╗╗Rehash:

Thu May 27 09:19:11 2004 -- ++Find-All 'Windows'.hiv .reg list:
A C:\Junk\Find-All\winBackup.hiv
A C:\Junk\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows



#13 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 11:48 AM

Log is ok, ready to proceed...
http://www.spywarein...indpost&p=10943
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#14 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 01:09 PM

Done and files emailed Thankyou so far... buttttit still keeps reinfecting

#15 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 04:42 PM

Logfile of HijackThis v1.97.7
Scan saved at 2:14:50 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Dudebox\dudemgr.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
C:\Documents and Settings\Ron Lewis\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spywareinfoforum.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spywareinfoforum.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [PestPatrolCL] C:\PROGRA~1\PESTPA~1\PestPatrolCL.exe c:\
O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Dudebox Manager.lnk = C:\Program Files\Dudebox\dudemgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: MUSICMATCH MX Web Player (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .qcp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.c...lient/setup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8117.8271064815
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmat...er/MMLRadio.cab

#16 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 04:54 PM

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, May 27, 2004 2:03:28 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R310 23.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R304 16.05.2004
Internal build : 236
File location : C:\PROGRA~1\LAVASOFT\AD-AWA~1\reflist.ref
Total size : 1116816 Bytes
Signature data size : 1098071 Bytes
Reference data size : 18681 Bytes
Signatures total : 24559
Target categories : 10
Target families : 469
5-27-2004 2:00:06 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R310 23.05.2004
Internal build : 242
File location : C:\PROGRA~1\LAVASOFT\AD-AWA~1\reflist.ref
Total size : 1166714 Bytes
Signature data size : 1147128 Bytes
Reference data size : 19522 Bytes
Signatures total : 25605
Target categories : 10
Target families : 484

5-27-2004 2:00:22 PM Success.
Update successfully downlodaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:17 %
Total physical memory:195056 kb
Available physical memory:32092 kb
Total page file size:478024 kb
Available on page file:255068 kb
Total virtual memory:2097024 kb
Available virtual memory:2050180 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Reanalyze result after scanning, before displaying result list
Set : Run scan as background process (Low CPU usage)
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Create and save WebUpdate logfile
Set : Dump details about unhandled exceptions to disk
Set : Play sound if scan produced a result


5-27-2004 2:03:28 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-27-2004 7:01:28 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-27-2004 7:01:31 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-27-2004 7:01:31 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 1/28/2004 5:46:12 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 6:59:10 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-27-2004 7:01:31 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 1/28/2004 5:45:01 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 6:39:50 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-27-2004 7:01:32 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/28/2004 5:46:35 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 7:05:32 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-27-2004 7:01:32 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/28/2004 5:46:35 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 7:05:32 PM

#:7 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-27-2004 7:01:34 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 5/7/2004 11:31:01 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 11/10/2003 8:30:12 PM

#:8 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-27-2004 7:01:34 PM
BasePriority : Normal
FileSize : 249 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Common Client
Created on : 5/7/2004 11:30:59 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 11/10/2003 8:30:04 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-27-2004 7:01:36 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 1/28/2004 5:46:30 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 7:04:18 PM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-27-2004 7:02:09 PM
BasePriority : Normal
FileSize : 154 KB
FileVersion : 10.00.13
ProductVersion : 10.00.13
Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright © 2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 5/7/2004 11:31:25 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/5/2003 1:22:28 AM

#:11 [nprotect.exe]
FilePath : C:\Program Files\Norton AntiVirus\AdvTools\
ThreadCreationTime : 5-27-2004 7:02:09 PM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 5/7/2004 10:23:15 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 8/14/2002 1:03:00 PM

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-27-2004 7:02:10 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 1/28/2004 5:46:35 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 7:05:32 PM

#:13 [symlcsvc.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
ThreadCreationTime : 5-27-2004 7:02:10 PM
BasePriority : Normal
FileSize : 572 KB
FileVersion : 1, 8, 48, 77
ProductVersion : 1, 8, 48, 77
Copyright : Copyright © 2003
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
OriginalFilename : symlcsvc.exe
ProductName : Symantec Core Component
Created on : 5/7/2004 10:21:08 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/7/2004 10:21:08 PM

#:14 [savscan.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-27-2004 7:02:18 PM
BasePriority : Normal
FileSize : 189 KB
FileVersion : 9.2.1.14
ProductVersion : 9.2
Copyright : Copyright © 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus Scanner
InternalName : SAVSCAN
OriginalFilename : SAVSCAN.EXE
ProductName : Symantec AntiVirus AutoProtect
Created on : 5/7/2004 11:31:32 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/5/2003 1:22:30 AM

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-27-2004 7:02:55 PM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 4:12:10 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/12/2003 4:12:10 AM

#:16 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ThreadCreationTime : 5-27-2004 8:52:02 PM
BasePriority : Realtime
FileSize : 76 KB
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
Copyright : Copyright ©
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
OriginalFilename : 3cmlink.exe
ProductName : U.S. Robotics Modem Driver
Created on : 8/18/2001 5:37:00 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 6:31:56 PM

#:17 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ThreadCreationTime : 5-27-2004 8:52:05 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2,4,0,26
ProductVersion : 2,4,0,26
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
OriginalFilename : hpgs2wnd.exe
ProductName : Hewlett-Packard hpgs2wnd
Created on : 8/18/2003 3:55:41 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 7/3/2001 4:11:52 PM

#:18 [usrshuta.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ThreadCreationTime : 5-27-2004 8:52:10 PM
BasePriority : Normal
FileSize : 68 KB
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
Copyright : Copyright ©
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
OriginalFilename : 3cshtdwn.exe
ProductName : U.S. Robotics Modem Driver
Created on : 8/18/2001 5:37:00 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 6:31:56 PM

#:19 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ThreadCreationTime : 5-27-2004 8:52:10 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
Copyright : Copyright ©
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
OriginalFilename : 3cmlink.exe
ProductName : U.S. Robotics Modem Driver
Created on : 8/18/2001 5:37:00 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2002 6:31:56 PM

#:20 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 5-27-2004 8:52:12 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.4.21
ProductVersion : 5.3.4.21
Copyright : Copyright © 2001,2002, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 12/17/2002 7:28:00 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/17/2002 7:28:00 PM

#:21 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-27-2004 8:52:13 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 9/18/2003 11:02:47 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 7/11/2003 9:51:16 PM

#:22 [hpgs2wnf.exe]
FilePath : C:\PROGRA~1\HEWLET~1\HPSHAR~1\
ThreadCreationTime : 5-27-2004 8:52:14 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 2,4,0,26
ProductVersion : 2,4,0,26
Copyright : Copyright 2001
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
OriginalFilename : hpgs2wnf.EXE
ProductName : hpgs2wnf Module
Created on : 8/18/2003 3:55:42 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 7/3/2001 4:17:04 PM

#:23 [mm_tray.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox8.1\
ThreadCreationTime : 5-27-2004 8:52:15 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.10.2026
ProductVersion : 8.10.2026
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 5/23/2004 2:07:29 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/3/2003 1:40:28 PM

#:24 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-27-2004 8:52:16 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 12/27/2003 4:22:38 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/27/2003 4:22:40 AM

#:25 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-27-2004 8:52:18 PM
BasePriority : Normal
FileSize : 69 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client User Session
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 5/7/2004 11:30:59 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 11/10/2003 8:30:02 PM

#:26 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 5-27-2004 8:52:20 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/2/2003 2:33:32 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/20/2004 11:50:16 PM

#:27 [ycommon.exe]
FilePath : C:\PROGRA~1\YAHOO!\BROWSER\
ThreadCreationTime : 5-27-2004 8:52:21 PM
BasePriority : Normal
FileSize : 212 KB
FileVersion : 2003, 9, 3, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 9/18/2003 11:02:20 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 9/3/2003 8:16:56 PM

#:28 [ppcontrol.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-27-2004 8:52:22 PM
BasePriority : Normal
FileSize : 52 KB
Created on : 5/17/2004 9:20:50 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/2/2004 10:11:48 PM

#:29 [ppmemcheck.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-27-2004 8:52:25 PM
BasePriority : Normal
FileSize : 145 KB
Created on : 5/17/2004 9:20:50 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/2/2004 10:11:54 PM

#:30 [cookiepatrol.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-27-2004 8:52:28 PM
BasePriority : Normal
FileSize : 68 KB
Created on : 5/17/2004 9:20:58 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/2/2004 10:10:34 PM

#:31 [pestpatrolcl.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-27-2004 8:52:37 PM
BasePriority : Normal
FileSize : 814 KB
FileVersion : 4.4.2.11
ProductVersion : 4.4
CompanyName : PestPatrol, Inc.
FileDescription : command line pest scanner
ProductName : PestPatrolCL - the command line pest scanner
Created on : 5/17/2004 9:20:49 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/3/2004 4:45:54 AM

#:32 [thguard.exe]
FilePath : C:\Program Files\TrojanHunter 3.8\
ThreadCreationTime : 5-27-2004 8:52:39 PM
BasePriority : Normal
FileSize : 1042 KB
FileVersion : 3.8.0.272
ProductVersion : 1.0.0.0
Copyright : Mischel Internet Security
CompanyName : Mischel Internet Security
FileDescription : TrojanHunter Guard
OriginalFilename : THGuard.exe
ProductName : TrojanHunter Guard
Created on : 1/26/2004 8:17:08 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 1/26/2004 8:17:08 AM

#:33 [ypc.exe]
FilePath : C:\PROGRA~1\YAHOO!\PARENT~1\
ThreadCreationTime : 5-27-2004 8:52:42 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2003, 10, 20, 1
ProductVersion : 3, 0, 3, 409
Copyright : Copyright
CompanyName : Yahoo! Inc.
FileDescription : YPC Module
InternalName : YPC
OriginalFilename : YPC.EXE
ProductName : YPC Module
Created on : 9/18/2003 11:02:29 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 10/20/2003 11:22:42 PM

#:34 [teatimer.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ThreadCreationTime : 5-27-2004 8:52:46 PM
BasePriority : Idle
FileSize : 1014 KB
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
OriginalFilename : TeaTimer.exe
ProductName : Spybot - Search & Destroy
Created on : 5/12/2004 8:03:00 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/12/2004 8:03:00 AM

#:35 [olfsnt40.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1033\
ThreadCreationTime : 5-27-2004 8:52:55 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 9.0.98.0105
ProductVersion : 9.0.98.0105
Copyright : Copyright © Symantec Corp. 1990-1998
CompanyName : Microsoft Corporation
FileDescription : Symantec Fax Starter Edition Port Launcher
InternalName : OLFSNT40.DLL
OriginalFilename : OLFSNT40.DLL
ProductName : Symantec Fax Starter Edition Printer Driver
Created on : 12/23/1998 12:51:54 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/23/1998 12:51:54 PM

#:36 [hpogrp07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\
ThreadCreationTime : 5-27-2004 8:52:58 PM
BasePriority : Normal
FileSize : 484 KB
FileVersion : 2.00
ProductVersion : A.14.07.04
Copyright : Copyright © Hewlett-Packard Co. 1995-2000
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOGRP07
OriginalFilename : HPOGRP07.EXE
ProductName : hp officejet 7100 series
Created on : 6/25/2003 6:23:40 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 6/25/2003 6:23:40 AM

#:37 [dudemgr.exe]
FilePath : C:\Program Files\Dudebox\
ThreadCreationTime : 5-27-2004 8:53:03 PM
BasePriority : Normal
FileSize : 774 KB
FileVersion : 8, 5, 4, 0
ProductVersion : 8, 5, 4, 0
Copyright : Copyright
CompanyName : Red Chair Software, Inc.
FileDescription : Red Chair Manager
InternalName : Red Chair Manager
ProductName : Red Chair Manager
Created on : 5/3/2004 1:51:29 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/3/2004 1:51:30 AM

#:38 [hpoevm07.exe]
FilePath : C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\
ThreadCreationTime : 5-27-2004 8:53:42 PM
BasePriority : Normal
FileSize : 292 KB
FileVersion : 1.00
ProductVersion : A.14.07.04
Copyright : Copyright © Hewlett-Packard Co. 1995-2000
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
OriginalFilename : HPOEVM07.EXE
ProductName : hp officejet 7100 series
Created on : 6/25/2003 6:59:16 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 6/25/2003 6:59:16 AM

#:39 [hpoipm07.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-27-2004 8:53:58 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 4, 5, 0, 767
ProductVersion : 4, 5, 0, 767
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 6/25/2003 7:53:28 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 6/25/2003 7:53:28 AM

#:40 [hposts07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ThreadCreationTime : 5-27-2004 8:54:38 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 1.00
ProductVersion : A.14.07.04
Copyright : Copyright © Hewlett-Packard Co. 1995-2000
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
OriginalFilename : HPOCPY07.EXE
ProductName : hp officejet 7100 series
Created on : 6/25/2003 7:41:06 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 6/25/2003 7:41:06 AM

#:41 [hpofxm07.exe]
FilePath : C:\Program Files\Hewlett-Packard\AiO\Shared\bin\
ThreadCreationTime : 5-27-2004 8:54:39 PM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 1.00
ProductVersion : A.14.07.04
Copyright : Copyright © Hewlett-Packard Co. 1995-2000
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
OriginalFilename : HPOFXM07.EXE
ProductName : hp officejet 7100 series
Created on : 6/25/2003 8:19:18 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 6/25/2003 8:19:18 AM

#:42 [ybrowser.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-27-2004 8:57:24 PM
BasePriority : Normal
FileSize : 433 KB
FileVersion : 2003, 10, 22, 2
ProductVersion : 3, 0, 2, 0
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : Yahoo! Browser
InternalName : YBrowser
OriginalFilename : YBrowser.EXE
ProductName : Yahoo! Browser
Created on : 8/17/2003 6:03:10 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 10/22/2003 10:48:02 PM

#:43 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
ThreadCreationTime : 5-27-2004 8:57:45 PM
BasePriority : Idle
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/10/2004 8:59:06 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 7/13/2003 4:00:20 AM

#:44 [ypager.exe]
FilePath : C:\PROGRA~1\YAHOO!\MESSEN~1\
ThreadCreationTime : 5-27-2004 8:59:26 PM
BasePriority : Normal
FileSize : 1496 KB
FileVersion : 5, 6, 0, 1358
ProductVersion : 5, 6, 0, 1358
Copyright : Copyright 1998-2003
CompanyName : Yahoo! Inc.
FileDescription : Yahoo! Messenger
InternalName : Yahoo! Messengerr
OriginalFilename : YPager.exe
ProductName : Yahoo! Messenger
Created on : 10/26/2003 11:55:01 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 12/26/2003 10:57:44 PM

Memory scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


Registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\bjnf.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{0DA8CF0F-5B51-4B43-B71E-43DD3E3393B6}


CoolWebSearch Object recognized!
Type : File
Data : bjnf.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 5/24/2004 12:19:29 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/24/2004 12:19:30 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{0E5D71A6-D59B-4B6C-96FA-EEF3D5917625}


CoolWebSearch Object recognized!
Type : File
Data : fhgbdce.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 5/22/2004 5:22:32 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/22/2004 5:22:34 PM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{2EF3F771-83F7-4A7D-8729-2A429FB157E1}


CoolWebSearch Object recognized!
Type : File
Data : djlofaa.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 5/25/2004 4:21:57 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/25/2004 4:21:58 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{2F842277-A7D4-41CB-9FFF-198FA88ED389}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{31208431-1C28-4C49-947E-525D46670CE6}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4742F60E-D7F7-486A-9415-E8F200E90A09}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\pnkp.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4DE80727-8F7B-44B9-BB22-91D52F2FFD28}


CoolWebSearch Object recognized!
Type : File
Data : pnkp.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 5/27/2004 9:38:36 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/27/2004 9:38:38 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{535AF468-980F-4531-B12A-F7C4041B73E9}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{6A47477D-D904-42A5-A230-60933809B0F8}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{74FE62BA-805C-4173-BEBF-4434A08013C7}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{99009DFE-F264-4EE5-A447-E109783F6A40}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A21034DA-FA21-4815-B866-AA8A266A9BD6}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A580CC35-949F-4235-83FD-53268AE6CBE3}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A866C5F6-FE50-4E0E-B782-84100B922572}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{AECEE137-682D-41E9-881B-09632A1F0369}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{B7FFB581-3E9E-4442-B789-5160BF3116A3}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{BAC59F41-D576-4315-BBB0-BE10841CA903}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\pnkp.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{BC697565-6AE3-4F7C-8601-D1A229B3FB47}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{C255B401-CBA4-4EC6-BCE4-45B3F002B14D}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\djlofaa.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{CFB651EA-3FDF-416B-9529-1A86249D4A66}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{DB5AE8AB-EF22-49DD-B983-F8CD0EA0BBB5}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E1BEDF31-1CD2-45B3-9251-FF5F40699942}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment : c:\windows\system32\fhgbdce.dll
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{EC30CB9C-BAB1-47C6-B034-ECFE9687456C}


Deep registry scan result :
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 24
Objects found so far: 29


Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object recognized!
Type : File
Data : dc108.dll
Category : Malware
Comment :
Object : C:\Recycled\
FileSize : 30 KB
Created on : 5/25/2004 12:19:59 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/25/2004 12:20:00 AM



CoolWebSearch Object recognized!
Type : File
Data : dc109.dll
Category : Malware
Comment :
Object : C:\Recycled\
FileSize : 30 KB
Created on : 5/26/2004 6:30:59 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/26/2004 6:31:00 AM



CoolWebSearch Object recognized!
Type : File
Data : dc112.dll
Category : Malware
Comment :
Object : C:\Recycled\
FileSize : 30 KB
Created on : 5/27/2004 2:23:26 AM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/27/2004 2:23:28 AM



CoolWebSearch Object recognized!
Type : File
Data : ctlo.111
Category : Malware
Comment :
Object : C:\junkxxx\
FileSize : 56 KB
Created on : 4/24/2004 11:53:58 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 4/24/2004 11:54:04 PM



CoolWebSearch Object recognized!
Type : File
Data : junkxxx.zip
Category : Malware
Comment : Object "ctlo.111" found in this archive.
Object : C:\Junk\Find-All\Tools\
FileSize : 55 KB
Created on : 5/27/2004 5:56:01 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 5/27/2004 5:56:02 PM


Object "ctlo.111" found in this archive.

Tracking Cookie Object recognized!
Type : File
Data : ron lewis@tripod[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Ron Lewis\Local Settings\Temp\Cookies\

Created on : 3/3/2004 10:33:36 PM
Last accessed : 5/27/2004 7:00:00 AM
Last modified : 3/3/2004 10:33:38 PM



Disk scan result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New objects : 0
Objects found so far: 35


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Warning!
Bad hosts file entry:127.0.0.1:hotsearchbox.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:hotsearchbox.com

Warning!
Bad hosts file entry:127.0.0.1:www.hotsearchbox.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.hotsearchbox.com

Warning!
Bad hosts file entry:127.0.0.1:searchxl.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchxl.com

Warning!
Bad hosts file entry:127.0.0.1:www.searchxl.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.searchxl.com

Warning!
Bad hosts file entry:127.0.0.1:i-lookup.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:i-lookup.com

Warning!
Bad hosts file entry:127.0.0.1:www.i-lookup.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.i-lookup.com

Warning!
Bad hosts file entry:127.0.0.1:hotwebsearch.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:hotwebsearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.hotwebsearch.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.hotwebsearch.com

Warning!
Bad hosts file entry:127.0.0.1:mysearchnow.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:mysearchnow.com

Warning!
Bad hosts file entry:127.0.0.1:www.mysearchnow.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.mysearchnow.com

Warning!
Bad hosts file entry:127.0.0.1:1-se.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:1-se.com

Warning!
Bad hosts file entry:127.0.0.1:aifind.info


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:aifind.info

Warning!
Bad hosts file entry:127.0.0.1:alfa-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:alfa-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.alfa-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.alfa-search.com

Warning!
Bad hosts file entry:127.0.0.1:allneedsearch.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:allneedsearch.com

Warning!
Bad hosts file entry:127.0.0.1:approvedlinks.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:approvedlinks.com

Warning!
Bad hosts file entry:127.0.0.1:find-itnow.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:just.find-itnow.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:just.find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:www.find-itnow.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:firstbookmark.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:firstbookmark.com

Warning!
Bad hosts file entry:127.0.0.1:www.firstbookmark.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.firstbookmark.com

Warning!
Bad hosts file entry:127.0.0.1:ie-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:ie-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.ie-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.ie-search.com

Warning!
Bad hosts file entry:127.0.0.1:lookfor.cc


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:lookfor.cc

Warning!
Bad hosts file entry:127.0.0.1:www.lookfor.cc


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.lookfor.cc

Warning!
Bad hosts file entry:127.0.0.1:omega-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:omega-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.omega-search.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.omega-search.com

Warning!
Bad hosts file entry:127.0.0.1:power-search.info


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:power-search.info

Warning!
Bad hosts file entry:127.0.0.1:www.power-search.info


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.power-search.info

Warning!
Bad hosts file entry:127.0.0.1:rightfinder.net


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:rightfinder.net

Warning!
Bad hosts file entry:127.0.0.1:www.rightfinder.net


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.rightfinder.net

Warning!
Bad hosts file entry:127.0.0.1:search-dot.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:search-dot.com

Warning!
Bad hosts file entry:127.0.0.1:www.search-dot.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.search-dot.com

Warning!
Bad hosts file entry:127.0.0.1:super-spider.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:super-spider.com

Warning!
Bad hosts file entry:127.0.0.1:t.rack.cc


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:t.rack.cc

Warning!
Bad hosts file entry:127.0.0.1:webcoolsearch.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:webcoolsearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.webcoolsearch.com


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.webcoolsearch.com

Warning!
Bad hosts file entry:127.0.0.1:in.webcounter.cc


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:in.webcounter.cc

Warning!
Bad hosts file entry:127.0.0.1:www.windowws.cc


Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.windowws.cc

#17 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 27 May 2004 - 10:47 PM

FREEATLAST Are you there???

#18 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 27 May 2004 - 11:28 PM

Yes!
Just have Ad-Aware fix everything!
The log is not needed!

When done, run CWShredder once again!

If there are problems left post another hijackthis log and another 'Find-All log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#19 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 28 May 2004 - 12:37 AM

thank you freeatlast because im "FREEATLAST"

youcan closethis thread and pm me 50 megs info for your files for helping people with malware.

Edited by chris22, 28 May 2004 - 12:38 AM.


#20 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 01 June 2004 - 09:00 AM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button