Jump to content


Photo

CWS res:// hijacker INVESTIGATION THREAD


  • This topic is locked This topic is locked
67 replies to this topic

#1 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 02:23 PM

Are you getting the res:// homepage hack? Random popups from "Only The Best?" Read on.

Okay, so this thing is hitting so fast that it's hard to keep up with all the threads, so I say let's investigate it all in one thread. Many of us have been hammering on this one for days now, so we're bound to figure out something to stop it.

If you've been searching in frustration on this, believe me, I know how you feel. Adaware, Spybot, NOD32, and the rest work only temporarily or not at all. I've collected all the known symptoms and posted solutions. At this moment, no solution has been permanent for me, as the hijacker returns, but read on for more info on what I think is the reason, a hijacked iexplore.exe.

Two posted solutions. They didn't work for me, but try them anyway just in case:

http://www.spywarein...?showtopic=7261
http://www.spywarein...?showtopic=7281

There are others being posted as well.

POSSIBLE SYMPTOMS--you may experience most or all of these (lord knows I am):

Home page changed to res://*randomdllname*.dll/index.html#96676 - This is a DLL containing that annoying page that you're seeing. You'll find the DLL in c:\windows\system32. The file will eventually return after deletion. The name cycles through a list of random names. I originally had "gafka.dll," and at this point in time, it's "bjigm.dll."

"Only The Best" popup windows.

Popup search windows. - When doing a search, such as in Google, a second window pops up with some third-party "search" page.

Possible random hyperlinks on certain words. I went to Windows Update and found that the every instance of the word "computer" was hyperlinked as "goto: computer."

A randomly named process appears, visible under Task Manager. This process will take up 2384kb of memory. - Ending the task and deleting the executable that appears (in c:\windows or c:\windows\system32) is pointless as a new file will be created and run. sranson has discovered that iexplore.exe is the process that's writing this new DLL file!

New service listed in services.msc--"Network Security Service." - Disabling this service on my machine did not help, but I imagine it's a good idea to disable it anyway!

Entry in Add/Remove programs called "Home Search Assistent" that cannot be removed - Clicking the Remove button opens some sort of Russian porn site.

Two files keep reappearing:
mfcso.exe c:\windows 19kb
mfcso.dll c:\windows 89kb

Registry changed at random times throughout the day, whether or not you run Internet Explorer - Running Hijack This is pointless, as the registry values you remove will be returned eventually, using different DLL and executable filenames.

POSSIBLE SOLUTIONS

This is where we get a little sketchy. :) Removing the files and executables and registry entries, as many of you know, doesn't do squat as the hijacker simply reappears. Merely running Internet Explorer seemed like a good way to cause it to return. Luckily, sranson was running Filemon at the moment the new DLL file was written.

The culprit was iexplore.exe. It looks like this maybe the source of the hijacker returning. Definitely look into this, particularly what file and registry changes happen when you actually start up Internet Explorer, especially if you've cleaned the hijacker files off your system.

I am at work right now posting on a laptop, so I can't experiment for myself. But what happens if you perform all the cleaning steps mentioned before, but also replace iexplore.exe with a good copy? iexplore.exe sounds like the key as to why this keeps reappearing even after we clean it off our systems. For the record, my Windows XP SP1 fully patched system has an iexplore.exe of 82kb in size. Is yours any different? When was it last modified? I just checked the filesize of my home machine's iexplore.exe, the one with the spyware infection--it's showing 89kb. I don't know if this is relevant or not, but definitely, iexplore.exe is doing something, or something iexplore.exe uses is doing something.

FILE AND REGISTRY MONITORING

These programs will alert you to any changes and let you know the process that changed them. Let's track everything and get to the bottom of this.

Filemon:
http://www.sysintern...e/filemon.shtml

Regmon:
http://www.sysintern...ce/regmon.shtml

DOWNLOADING INTERNET EXPLORER 6 SP1

I'm going to reinstall Internet Explorer 6 on my home machine and clean all the known rogue files and see what that does.

http://www.microsoft...sp1/default.asp

Or if you want all the files in one go:

http://www.tacktech....ay.cfm?ttid=176

Edited by rd_syringe, 16 June 2004 - 02:38 PM.


#2 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 02:49 PM

Okay, I'm going home on my lunch hour to reinstall Internet Explorer 6. I'll let you know how it goes and if it stops this thing from returning...

#3 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 02:50 PM

(accidental repost)

Edited by rd_syringe, 16 June 2004 - 02:53 PM.


#4 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 03:16 PM

Excellent post, RD.

I think we should add suspicious Office installer loading up constantly every time IE is used.

#5 Drewmeister

Drewmeister

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 16 June 2004 - 03:51 PM

This is a good idea, and it might even be worth a sticky given just how many people are suffering through it.

The first method you posted seemed to work for me--I hope. There's still a chance I missed something and that I'll howl in frustration sometime in the next day or so. However, I've been free for about 2 1/2 hours now.

The key is finding and nuking ALL of the involved .dll .dat and .exe files. And there can be a LOT of them. My computer started giving me the "Home Search" web page on 6/13. I found files for it dated all the way back to mid-May, however.

Here's what I've noticed about the various files:

.dll files: 5 string random characters, 70KB size (I deleted about 8 of these from my windows and system directories)

.dat files: also random strings, vary more in size. Many of mine were either 1k or 12k. Mostly 5 letters. I deleted about 10 of these.

.exe files: a little more variety since these can be 4 or 5 letters and sometimes include a 32. I deleted about 12 of these from my folders. *All were 9k in size*

During the problem period, I noticed that every time I re-booted the hijacker's "Network Security Service" pointed to a different random .exe.

I think that if you don't get EVERY .dat, .dll, and .exe, it comes back right away.

#6 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 04:10 PM

Okay, guys, I'm posting from my home computer. I was unsuccessful in reinstalling IE6--apparently the installer won't overwrite anything if it detects it's already installed. I'm not sure.

But there is good news. I cleaned everything I could and brought things back to normal. Then, I started Filemon and Regmon and tried my best to activate the spyware and cause it to return. I have saved both logs of the 10-15 minute span of time and will bring them with me when I get back to work and will post more detailed results. I've found some very interesting things. :)

First off, yes, it is iexplore.exe that is writing the DLL file. A few more highlights--it looks like the randomly named process that gets run in Task Manager searches the Windows RAS and addressbook registry values. I have logs of all the registry values this process writes. I will scan this thoroughly in the log.

More importantly, I may have discovered an activity log. I noticed that the process wrote to:
c:\windows\system32\config\software
c:\windows\system32\config\software.log

I am unable to open these files as they are "in use by some program or application." I watched this folder for a while--the size of software.log grew larger and larger until reverting back to 1K again.

Are these valid files? Everyone, check if you've got these two files. I hope it's not just me. Running Internet Explorer caused software.log's file size to spike. I'll see what I can come up with from scanning these monitor logs when I get back to my laptop in about 15 minutes. :)

Edited by rd_syringe, 16 June 2004 - 04:33 PM.


#7 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 04:18 PM

Deleting the Prefetch folder in \Windows didn't work (as proposed in another thread). I also looked through the assembly code of iexplore.exe and found nothing out of the ordinary, but I may have missed something.

I just replaced iexplore.exe on the infected machine with a copy of the EXE from a clean SP1 machine - no effect, the spyware remains.

#8 TripleT

TripleT

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 June 2004 - 04:30 PM

Adding this info in case it happens to help the effort. I worked with my brother on the phone for several hours last night trying to get this fixed on his machine. As of 11:30 PM last night all was well, but I haven't checked back in with him today.

I too had early failures trying to get this cleaned up (on a Windows Me machine - yes, time to upgrade). Got rid of everything HijackThis found and that didn't belong, but it came right back. Super frustrating. We ended up starting the machine in Safe Mode and ran HijackThis again (I believe HijackThis found more items while in Safe Mode). Below is everything we had to remove to clean the system. Please remember, as mentioned above, that the names appear to be randomly generated and won't match exactly what's found on another system.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lvadj.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://lvadj.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://lvadj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lvadj.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://lvadj.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lvadj.dll/sp.html#96676

O2 - BHO: (no name) - {B9B34100-D040-0B2A-82D1-D1F5061D5342} - C:\WINDOWS\NTAO32.DLL

O4 - HKLM\..\Run: [ADDIR32.EXE] C:\WINDOWS\SYSTEM\ADDIR32.EXE
O4 - HKLM\..\RunServices: [WINEG32.EXE] C:\WINDOWS\SYSTEM\WINEG32.EXE
O4 - HKLM\..\RunServices: [SDKFX.EXE] C:\WINDOWS\SYSTEM\SDKFX.EXE

As I said, I haven't talked to him again today to see if his machine is still clean, but we felt confident last night (could not reproduce errors again). I hope that this really doesn't end up more complicated than it already is. Nasty little bastard.

#9 ritoun

ritoun

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 16 June 2004 - 04:38 PM

I do have a software file (17,563,648 bytes) and a sofware.sav file (588 KB) in config... No software.txt

#10 romec

romec

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 16 June 2004 - 04:42 PM

Might want to take a look at my thread

http://www.spywarein...?showtopic=7197

Symptoms look identical. OSC was able to help me get this cleaned up. Its been about 18 hours and no more symptoms have reappeared.

Keep in mind that more than likely the dll names are randomly created and will be different on your system. Best advice is to cross reference susipcious files with the known lists.

Edited by romec, 16 June 2004 - 04:50 PM.


#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 04:50 PM

I think it is a wonderful thing to discuss issues/problems like this but please, just a reminder - Do not post your logs into the thread as it makes it very confusing for everyone involved. Posting snippets etc helps to emphasize points and help the "Experts" to come up with a solution - Once and for all - I hope ;)

Thank you all for your consideration.

#12 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 05:11 PM

FIXED (until further notice)

A few things tell me that, even though FileMon says otherwise, it cannot be iexplore.exe creating the DLLs. When operating in safe mode, getting rid of the nasty files and processes once makes sure they do not come back again. If opening IE in normal mode recreates the files, and opening IE in safe mode does not - then there is a discrepency and it cannot be IE... or not IE alone, anyway.

As I also mentioned before, replacing iexplore.exe with a clean version of the file from another computer did nothing.

The following are the steps I took to resolve my problem:

- Start the system in safe mode.
- Delete the appropriate DLL (mine was xothr.dll)
- Open HiJack This and get rid of anything that does not belong. How do you differentiate between what belongs and what does not? Google. LIUtilities.com lists most proper running processes and all essential running processes. Chances are that if it is not on the site, it should not be running on your computer (or if it is a really unknown peripheral, it is something you can afford to reinstall, it will not be an essential part of the OS).
- Change your startup page in IE back to normal.
- Run CWS Shredder just in case

Clearing temporary internet files, cookies, etc. is all optional, you never know where spyware might be hiding.

- Restart to normal mode.
- Check for the DLL again, if it reapears delete it.
- Run HiJack This again - there should be minimal changes from the spyware this time (I had only two registry entries changed).
- Open up IE and give it a go. After you open it up, check HiJack this for trails of the spyware if it's still around.

#13 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 05:18 PM

I now believe the software.log maybe be a normal part of Windows. I suspected as much, but the rogue process was indeed writing to this file. It maybe be normal Windows logging procedures.

I'm going through my logs to post a summarized timeline of the file and registry activity, and maybe going through it, we can figure out how to remove it, or at the least a way to block its activities.

EmXtrex, I will definitely try your solutions when I get home in about an hour.

Edited by rd_syringe, 16 June 2004 - 05:19 PM.


#14 TripleT

TripleT

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 June 2004 - 05:27 PM

Could not agree more with EmXtrix's post. Solution was exactly the same as that I used and appears to have done the job.

Hopefully others will find this info useful in resolving their problems, or perhaps someone much smarter than me can devise a utility like CWShredder to automate the removal of this pest! As someone else has said before, it's quite a service being performed here by a lot of talented people. Keep up the good work!

#15 ritoun

ritoun

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 16 June 2004 - 06:35 PM

At first, the repair seems to help, but then, if I do a search in google (car, for instance), it comes back as fast as it 's gone...
Did you try a google serach after your fix?

#16 beezer101

beezer101

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 06:52 PM

I'd also like to add that this bug totally wiped pop-up cop off of my IE window. I have no idea how to get it back and it is definetly not functional now. If you guys know how to recover it w/out reinstalling i'd love to know. Thanks.


Keep up the good work

#17 beezer101

beezer101

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 07:00 PM

just another thing i noticed, alot of the .exe files ended with 32 in my case (apitl32.exe, d3ol32.exe, crqz32.exe, etc. etc.) just FYI.

#18 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 07:21 PM

The 32 numerical suffix is a good point, most of them do end in that.

Ritoun - I did do a Google search after the fix (I too noticed that the problem comes back quick with Google), but my system remains stable and isolated. Remember, the key is to knock out all of the files so that the spyware cannot re-establish itself.

Maybe I will attempt to write a program that knocks out all system processes besides the essentials (basically what safe mode does, but you wont have to restart your computer).

Edited by EmXtrix, 16 June 2004 - 07:23 PM.


#19 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 07:43 PM

Maybe this info will be overkill, but it might be of interest to people writing their own automated removal tools. Some of these lists are long, but they show exactly what this thing looks for and in what folders, so I included them for information's sake. you can also see patterns of behavior.

Unfortunately, the registry log is way too long for me to examine in such a short time, but all the activity is in there, and I will look at it this evening.

Here's what I did after the failed IE installation attempt:

- Ended all rogue processes that were running.
- Ran Hijack This.
- Deleted all executables and DLLs that didn't belong (that I knew of).
- Scanned with Adaware, Spybot, and just to be sure, CWShredder.
- Ran Hijack This again.
- Made sure Internet Explorer was seemingly running just fine. Home page was my home page, and there were no popups.

Okay, so I started Filemon and Regmon simultaneously, then set out to force the spyware to reactivate itself. This seems to happen when Internet Explorer starts up, so I kept starting, browsing a few sites, and restarting. I now believe it's not iexplore.exe but something using iexplore.exe somehow. I don't really know. Nothing happened for a long time, and I almost believed I had actually cleaned the spyware completely without knowing how I did it. But, of course, it returned in full force. I really wonder about the people here claiming they have cleaned their systems, as this thing creates files all over the place.

I started logging at 2:51 PM. The registry log is absolutely huge, so it's difficult to gleam information from it that wouldn't take weeks. Scanning the file access log, I notice the first suspicious activity:

10037	2:52:19 PM	netys32.exe:1316	QUERY INFORMATION	C:\WINDOWS\netys32.exe	SUCCESS	Attributes: A

Netys32.exe doesn't belong. It started up on Windows startup, despite not being in the registry. It's not picked up by any program like Spybot, Ad-Aware, or even the NOD32 antivirus scanner. I've deleted this file before, yet here it is again. At least the name remains the same. Over in the registry log, here's what netys32 did:

35525	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\protocols\filter	SUCCESS	Access: 0x2001F  
35526	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\protocols\filter\text/html	NOTFOUND  
35527	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\protocols\filter\text/plain	NOTFOUND  
35528	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\protocols\filter\text/html	NOTFOUND  
35529	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\protocols\filter\text/plain	NOTFOUND  
35530	2:52:19 PM	netys32.exe:1316	CloseKey	HKCR\protocols\filter	SUCCESS  
35531	2:52:19 PM	netys32.exe:1316	OpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	SUCCESS	Access: 0x2001F  
35532	2:52:19 PM	netys32.exe:1316	QueryValue	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	NOTFOUND  
35533	2:52:19 PM	netys32.exe:1316	CloseKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows	SUCCESS  
35534	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\CLSID	SUCCESS	Access: 0x20019  
35535	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\CLSID\{5E369D6A-7FC5-67AE-A18C-CE69B1CBE389}	SUCCESS	Access: 0x2000000  

...the CLSID accessing continues in this way for several entries.

Interestingly, later on I found this in the log, a registry key and series of values it creates:

35958	2:52:19 PM	netys32.exe:1316	CreateKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA	SUCCESS	Access: 0x20006  
35962	2:52:19 PM	netys32.exe:1316	SetValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA\DisplayName	SUCCESS	"Home  Search  Assistent  "	
35963	2:52:19 PM	netys32.exe:1316	SetValue	HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA\UninstallString	SUCCESS	"rundll32 url.dll,FileProtocolHandler http://t73.com"	
35964	2:52:19 PM	netys32.exe:1316	OpenKey	HKCR\CLSID	SUCCESS	Access: 0xF003F  

It's the damn "Home Search Assistent" in the Add/Remove dialog! The process makes sure this is listed as an installed program even if it's already there. There, you can see where removing it redirects you to http://www.t73.com.

At one point, you can see where it hooks into searching:

36344	2:52:19 PM	netys32.exe:1316	CreateKey	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C53941D-477F-6263-5B87-CAAEBC229396}	SUCCESS	Access: 0x20006  
36345	2:52:19 PM	netys32.exe:1316	SetValue	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C53941D-477F-6263-5B87-CAAEBC229396}\(Default)	SUCCESS	""	
36346	2:52:19 PM	netys32.exe:1316	CloseKey	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1C53941D-477F-6263-5B87-CAAEBC229396}	SUCCESS  
36347	2:52:19 PM	netys32.exe:1316	OpenKey	HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	NOTFOUND  
36348	2:52:19 PM	netys32.exe:1316	OpenKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS	Access: 0x2000000  
36349	2:52:19 PM	netys32.exe:1316	QueryKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS	Subkeys = 0	
36350	2:52:19 PM	netys32.exe:1316	EnumerateKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	NOMORE  
36351	2:52:19 PM	netys32.exe:1316	CloseKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS  
36352	2:52:19 PM	netys32.exe:1316	OpenKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS	Access: 0x10000  
36353	2:52:19 PM	netys32.exe:1316	DeleteKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS	Key: 0xE23177C8	
36354	2:52:19 PM	netys32.exe:1316	CloseKey	HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	SUCCESS  

You get the idea. Meanwhile, in the file log:

2:52:22 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error

Needless to say, that's not a valid system file, and a Google search brought no results. Interestingly, 2:52:22 is exactly the time I tried connecting on my dialup connection. Over in the registry was a lot of RAS addressbook access activity, but I'm sure that's normal when dialing a phone number that Windows has stored.

There was also this:

98248	2:54:06 PM	iexplore.exe:1532	OpenKey	HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\\Domains\//zznyz.dll/http_404.htm	NOTFOUND  
98249	2:54:06 PM	iexplore.exe:1532	OpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\//zznyz.dll/http_404.htm	NOTFOUND

About a minute later, you can really see iexplore.exe desperately looking for this file in a whole bunch of possible folders:

23439	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Program Files\Internet Explorer\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23440	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Documents and Settings\Parents\Desktop\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23441	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\System32\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23442	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23443	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23444	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23445	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23446	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\System32\Wbem\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23447	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Documents and Settings\Parents\Desktop\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23448	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Program Files\Internet Explorer\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23449	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Program Files\Internet Explorer\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23450	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\System32\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23451	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23452	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23453	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Documents and Settings\Parents\Desktop\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23454	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23455	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23456	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\System32\Wbem\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23457	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Documents and Settings\Parents\Desktop\zznyz.dll	FILE NOT FOUND	Attributes: Error	
23458	2:54:06 PM	iexplore.exe:1532	QUERY INFORMATION	C:\Program Files\Internet Explorer\zznyz.dll	FILE NOT FOUND	Attributes: Error

After that, there is normal system activity again for a while like writing temporary files and accessing system libraries, until it looks again:

26590	2:54:32 PM	iexplore.exe:1532	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error

Okay, so it is periodically looking for this file, presumably to start its little routine of being scumware and popping crap up. My guess is that zznyz.dll is the file containing the start page we're getting used to seeing, the one that ends up in the res:// address to deliver the page.

A few seconds later, we get an access to another system DLL I have found no information about online, but this time it succesfully locates it and executes:
27943	2:54:36 PM	iexplore.exe:800	OPEN	C:\WINDOWS\d3vh32.dll	SUCCESS	Options: Open  Access: All	
27944	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	FileBasicInformation	
27945	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Length: 91136	
27946	2:54:36 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\d3vh32.dll	SUCCESS  
27947	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Attributes: A	
27948	2:54:36 PM	iexplore.exe:800	OPEN	C:\WINDOWS\d3vh32.dll	SUCCESS	Options: Open  Access: Execute	
27949	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Length: 91136	
27950	2:54:36 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\d3vh32.dll	SUCCESS  
27951	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Attributes: A	
27952	2:54:36 PM	iexplore.exe:800	OPEN	C:\WINDOWS\d3vh32.dll	SUCCESS	Options: Open  Access: Execute	
27953	2:54:36 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\d3vh32.dll	SUCCESS  

Fantastic, whatever this is has executed on my system. With the complete lack of information when doing a Google search, couple with the fact this file is accessed via another suspicious file you'll see later on, I'm pretty sure this thing does not belong.

It continues:

27959	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Attributes: A

It's checked for that file and found it. I guess it's feeling lucky and will now check for zznyz again, but this time it checks for a zznyz.dat file instead of the DLL:

27960	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat.new	FILE NOT FOUND	Attributes: Error	
27961	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat	FILE NOT FOUND	Attributes: Error	
27962	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat.new	FILE NOT FOUND	Attributes: Error	
27963	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat	FILE NOT FOUND	Attributes: Error	
27964	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat.new	FILE NOT FOUND	Attributes: Error	
27965	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat	FILE NOT FOUND	Attributes: Error	
27966	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error	
27967	2:54:36 PM	iexplore.exe:800	SET INFORMATION  C:\WINDOWS\system32\config\software.LOG	SUCCESS	Length: 102400	
27968	2:54:36 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	FILE NOT FOUND	Attributes: Error

After this is more miscellaneous system activity, such as writing temporary internet data. At this point, nothing particularly strange was happening with Internet Explorer. But all of the sudden:

30759	2:54:45 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 0 Length: 512	
30760	2:54:45 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 512 Length: 512	
30761	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 1024 Length: 512	
30762	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 1536 Length: 512	
30763	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 2048 Length: 512	
30764	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 2560 Length: 512	
30765	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 3072 Length: 512	
30766	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 3584 Length: 512	
30767	2:54:45 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 4096 Length: 512	
30768	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 4608 Length: 512	
30769	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 5120 Length: 512	
30770	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 5632 Length: 512	
30771	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 6144 Length: 512	
30772	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 6656 Length: 512	
30773	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 7168 Length: 512	
30774	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 7680 Length: 512	
30775	2:54:45 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 8192 Length: 512	
30776	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 8704 Length: 512	
30777	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 9216 Length: 512	
30778	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 9728 Length: 512	
30779	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 10240 Length: 512	
30780	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 10752 Length: 512	
30781	2:54:45 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 11264 Length: 328	
30782	2:54:45 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\system32\zznyz.dat	SUCCESS  
30783	2:54:45 PM	winlogon.exe:456	DIRECTORY	C:\WINDOWS\system32	SUCCESS	Change Notify	
30784	2:54:45 PM	iexplore.exe:800	OPEN	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Options: Open  Access: All	
30785	2:54:45 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat	SUCCESS	FileBasicInformation	
30786	2:54:45 PM	iexplore.exe:800	SET INFORMATION  C:\WINDOWS\system32\zznyz.dat	SUCCESS	FileBasicInformation	
30787	2:54:45 PM	winlogon.exe:456	DIRECTORY	C:\WINDOWS\system32	SUCCESS	Change Notify	
30788	2:54:45 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\system32\zznyz.dat	SUCCESS  
30789	2:54:45 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat.new	FILE NOT FOUND	Attributes: Error	
30790	2:54:45 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Attributes: A	
30791	2:54:45 PM	iexplore.exe:800	OPEN	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Options: OpenIf  Access: All	
30792	2:54:45 PM	iexplore.exe:800	READ  C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 0 Length: 512	
30793	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 512 Length: 512	
30794	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 1024 Length: 512	
30795	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 1536 Length: 512	
30796	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 2048 Length: 512	
30797	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 2560 Length: 512	
30798	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 3072 Length: 512	
30799	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 3584 Length: 512	
30800	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 4096 Length: 512	
30801	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 4608 Length: 512	
30802	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 5120 Length: 512	
30803	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 5632 Length: 512	
30804	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 6144 Length: 512	
30805	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 6656 Length: 512	
30806	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 7168 Length: 512	
30807	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 7680 Length: 512	
30808	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 8192 Length: 512	
30809	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 8704 Length: 512	
30810	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 9216 Length: 512	
30811	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 9728 Length: 512	
30812	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 10240 Length: 512	
30813	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 10752 Length: 512	
30814	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	SUCCESS	Offset: 11264 Length: 512	
30815	2:54:45 PM	iexplore.exe:800	READ	C:\WINDOWS\system32\zznyz.dat	END OF FILE	Offset: 11592 Length: 512	
30816	2:54:45 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\system32\zznyz.dat	SUCCESS  

All of the sudden, we're writing blocks of data. And this sort of activity continues off and on in huge strings of activities like that, and then:

31614	2:55:14 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dll	SUCCESS	Offset: 0 Length: 512	
31615	2:55:14 PM	iexplore.exe:800	WRITE  C:\WINDOWS\system32\zznyz.dll	SUCCESS	Offset: 512 Length: 512	
31616	2:55:14 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dll	SUCCESS	Offset: 1024 Length: 512	
31617	2:55:14 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dll	SUCCESS	Offset: 1536 Length: 512	
31618	2:55:14 PM	iexplore.exe:800	WRITE	C:\WINDOWS\system32\zznyz.dll	SUCCESS	Offset: 2048 Length: 512	
...

And this goes on for huge blocks, until it finishes writing the zznyz.dll file, until suddenly it queries for some random executable file:

32276	2:55:16 PM	iexplore.exe:800	CLOSE	C:\WINDOWS\system32\zznyz.dat	SUCCESS  
32277	2:55:16 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe	FILE NOT FOUND	Attributes: Error

After this is a huge series of writes to that software.log I mentioned before, which is why I thought it might be related.

32304	2:55:18 PM	iexplore.exe:800	CREATE	C:\WINDOWS\system32\d3dw32.exe	SUCCESS	Options: OverwriteIf  Access: All

This is the new executable file I saw running in Task Manager. It starts writing to this file until it finishes creating it. So iexplore.exe made the .dat file, made the DLL, and now it's made the executable. There is miscellaneous querying of the file information on this new executable. All of the sudden we see activity from this executable for the first time:

32604	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe	SUCCESS	FileNameInformation	
32605	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\Prefetch\D3DW32.EXE-1ECAD0ED.pf	FILE NOT FOUND	Options: Open  Access: All	
32606	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\Documents and Settings\Parents\Desktop\	SUCCESS	Options: Open Directory  Access: Traverse	
32607	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe.Local	FILE NOT FOUND	Attributes: Error	
32608	2:55:27 PM	d3dw32.exe:1216	READ  C:\WINDOWS\system32\d3dw32.exe	SUCCESS	Offset: 27648 Length: 512

A-ha! Here's where the start page gets set:

132218	2:55:27 PM	iexplore.exe:800	SetValue	HKCU\Software\Microsoft\Internet Explorer\Main\Start Page	SUCCESS	"res://zznyz.dll/index.html#96676"

d3dw32.exe accesses the shell:

32620	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\SHELL32.dll	SUCCESS	Options: Open  Access: All	
32621	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\SHELL32.dll	SUCCESS	Length: 8240640	
32622	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\SHELL32.dll.124.Manifest	FILE NOT FOUND	Options: Open  Access: All	
32623	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\SHELL32.dll.124.Config	FILE NOT FOUND	Options: Open  Access: All	
32666	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\system32\SHELL32.dll	SUCCESS  

And a whole bunch more!

32667	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe.Local\	FILE NOT FOUND	Attributes: Error	
32668	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805	SUCCESS	Attributes: D	
32669	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805	SUCCESS	Options: Open Directory  Access: Traverse	
32670	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll	SUCCESS	Options: Open  Access: Execute	
32671	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll	SUCCESS	Length: 921600	
32672	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll	SUCCESS  
32673	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll	SUCCESS	Options: Open  Access: Execute	
32674	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll	SUCCESS  
32675	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Attributes: RHA	
32676	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Options: Open  Access: Execute	
32677	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Length: 749	
32678	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\WindowsShell.Manifest	SUCCESS  
32679	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Attributes: RHA	
32680	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Options: Open  Access: All	
32681	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Length: 749	
32682	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\WindowsShell.Manifest	SUCCESS  
32683	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Options: Open  Access: All	
32684	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Length: 749	
32685	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\WindowsShell.Manifest	SUCCESS	Length: 749	
32686	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\WindowsShell.Config	FILE NOT FOUND	Options: Open  Access: All	
32730	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\WindowsShell.Manifest	SUCCESS  
32731	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe	BUFFER OVERFLOW	FileNameInformation	
32732	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\d3dw32.exe	SUCCESS	FileNameInformation	
32733	2:55:27 PM	d3dw32.exe:1216	SET INFORMATION  C:\WINDOWS\system32\config\software.LOG	SUCCESS	Length: 28672	
32734	2:55:27 PM	d3dw32.exe:1216	SET INFORMATION  C:\WINDOWS\system32\config\software.LOG	SUCCESS	Length: 32768	
32735	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\WININET.dll	SUCCESS	Options: Open  Access: All	
32736	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\system32\WININET.dll	SUCCESS	Length: 588288	
32737	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\WININET.dll.123.Manifest	FILE NOT FOUND	Options: Open  Access: All	
32738	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\system32\WININET.dll.123.Config	FILE NOT FOUND	Options: Open  Access: All

Among other things, here it opens that DLL:

32792	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Attributes: A	
32793	2:55:27 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\d3vh32.dll	SUCCESS	Options: Open  Access: Execute	
32794	2:55:27 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\d3vh32.dll	SUCCESS	Length: 91136	
32795	2:55:27 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\d3vh32.dll	SUCCESS  

Lookie here, in the registry, we see it accessing Terminal Server keys:

[code=auto:0]132219 2:55:27 PM d3dw32.exe:1216 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019  
132220 2:55:27 PM d3dw32.exe:1216 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
132221 2:55:27 PM d3dw32.exe:1216 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS  
132222 2:55:27 PM d3dw32.exe:1216 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
132226 2:55:27 PM d3dw32.exe:1216 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
132227 2:55:27 PM d3dw32.exe:1216 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled SUCCESS 0x0
132228 2:55:27 PM d3dw32.exe:1216 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS  
132232 2:55:2

Edited by rd_syringe, 17 June 2004 - 04:14 PM.


#20 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 07:47 PM

Here is some directory browsing done by d3dw32.exe, so you can see what this thing looks at, such as data stored in network connections...note that the phonebook file it tries to access is used by some known trojan dialers, and also we get yet another non-valid system file that doesn't belong, doing god-knows-what:

85958	2:57:59 PM	d3dw32.exe:1216	CREATE	C:\WINDOWS\fomin.dat	SUCCESS	Options: OverwriteIf  Access: All	
85959	2:57:59 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\	SUCCESS	Options: Open  Access: 00000000	
85960	2:57:59 PM	winlogon.exe:456	DIRECTORY	C:\WINDOWS	SUCCESS	Change Notify	
85961	2:58:01 PM	d3dw32.exe:1216	WRITE  C:\WINDOWS\fomin.dat	SUCCESS	Offset: 0 Length: 512	
85962	2:58:01 PM	d3dw32.exe:1216	WRITE  C:\WINDOWS\fomin.dat	SUCCESS	Offset: 512 Length: 512	
85963	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 1024 Length: 512	
85964	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 1536 Length: 512	
85965	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 2048 Length: 512	
85966	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 2560 Length: 512	
85967	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 3072 Length: 512	
85968	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 3584 Length: 512	
85969	2:58:01 PM	d3dw32.exe:1216	WRITE  C:\WINDOWS\fomin.dat	SUCCESS	Offset: 4096 Length: 512	
85970	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 4608 Length: 512	
85971	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 5120 Length: 512	
85972	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 5632 Length: 512	
85973	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 6144 Length: 512	
85974	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 6656 Length: 512	
85975	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 7168 Length: 512	
85976	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 7680 Length: 512	
85977	2:58:01 PM	d3dw32.exe:1216	WRITE  C:\WINDOWS\fomin.dat	SUCCESS	Offset: 8192 Length: 512	
85978	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 8704 Length: 512	
85979	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 9216 Length: 512	
85980	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 9728 Length: 512	
85981	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 10240 Length: 512	
85982	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 10752 Length: 512	
85983	2:58:01 PM	d3dw32.exe:1216	WRITE	C:\WINDOWS\fomin.dat	SUCCESS	Offset: 11264 Length: 328	
85984	2:58:01 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\fomin.dat	SUCCESS  
85985	2:58:01 PM	winlogon.exe:456	DIRECTORY	C:\WINDOWS	SUCCESS	Change Notify	
85986	2:58:01 PM	d3dw32.exe:1216	OPEN	C:\WINDOWS\fomin.dat	SUCCESS	Options: Open  Access: All	
85987	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\WINDOWS\fomin.dat	SUCCESS	FileBasicInformation	
85988	2:58:01 PM	d3dw32.exe:1216	SET INFORMATION  C:\WINDOWS\fomin.dat	SUCCESS	FileBasicInformation	
85989	2:58:01 PM	winlogon.exe:456	DIRECTORY	C:\WINDOWS	SUCCESS	Change Notify	
85990	2:58:01 PM	d3dw32.exe:1216	CLOSE	C:\WINDOWS\fomin.dat	SUCCESS  
85991	2:58:01 PM	d3dw32.exe:1216	SET INFORMATION  C:\WINDOWS\system32\config\software.LOG	SUCCESS	Length: 110592	
85993	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
85994	2:58:01 PM	d3dw32.exe:1216	OPEN	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS	Options: Open Directory  Access: All	
85995	2:58:01 PM	d3dw32.exe:1216	DIRECTORY	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS	FileBothDirectoryInformation: rasphone.pbk	
85996	2:58:01 PM	d3dw32.exe:1216	CLOSE	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS  
85997	2:58:01 PM	d3dw32.exe:1216	OPEN	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS	Options: Open  Access: All	
85998	2:58:01 PM	d3dw32.exe:1216	READ  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS	Offset: 0 Length: 2048	
85999	2:58:01 PM	d3dw32.exe:1216	CLOSE	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS  
86000	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86001	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86002	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86003	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86004	2:58:01 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86007	2:58:02 PM	d3dw32.exe:1216	READ  C:\WINDOWS\system32\WININET.DLL	SUCCESS	Offset: 238592 Length: 8192	
86008	2:58:02 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86009	2:58:02 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008	
86010	2:58:02 PM	d3dw32.exe:1216	OPEN	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS	Options: Open Directory  Access: All	
86011	2:58:02 PM	d3dw32.exe:1216	DIRECTORY	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS	FileBothDirectoryInformation: rasphone.pbk	
86012	2:58:02 PM	d3dw32.exe:1216	CLOSE	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\	SUCCESS  
86013	2:58:02 PM	d3dw32.exe:1216	OPEN	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS	Options: Open  Access: All	
86014	2:58:02 PM	d3dw32.exe:1216	READ  C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS	Offset: 0 Length: 2048	
86015	2:58:02 PM	d3dw32.exe:1216	CLOSE	C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk	SUCCESS  
86016	2:58:02 PM	d3dw32.exe:1216	QUERY INFORMATION	C:\Documents and Settings\Parents\Local Settings\Temporary Internet Files\Content.IE5\index.dat	SUCCESS	Length: 16171008

It also created and wrote two new files, "uotw.dat" and "wrkpr.dat," in c:\windows\system32. So far, this thing has left random files all over the place. My computer is INFESTED. No wonder it's so difficult to get rid of.

Edited by rd_syringe, 16 June 2004 - 07:53 PM.


#21 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 07:57 PM

Later on when I was getting ready to shut down, the log file shows that iexplore.exe scanned for a whole bunch of known trojans and hijackers, many files that programs like Spybot and Ad-Aware detect. A lot of these are associated with, of course, CoolWebSearch, and if you have any of these files, it ain't a good sign.

Thanks to Filemon, here is a complete list of files this thing looks for and will use if it finds them:

89903	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\googlems.dll	FILE NOT FOUND	Attributes: Error	
89904	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\common files\web folders\mswsc10.dll	PATH NOT FOUND	Attributes: Error	
89905	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\microsoft\office\excel10.dll	FILE NOT FOUND	Attributes: Error	
89906	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\microsoft\office\word10.dll	FILE NOT FOUND	Attributes: Error	
89907	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\searchword.dll	FILE NOT FOUND	Attributes: Error	
89908	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\autosearch.dll	PATH NOT FOUND	Attributes: Error	
89909	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\autose~1.dll	PATH NOT FOUND	Attributes: Error	
89910	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\searchaddon.dll	PATH NOT FOUND	Attributes: Error	
89911	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\search~1.dll	PATH NOT FOUND	Attributes: Error	
89912	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\toolbar.dll	PATH NOT FOUND	Attributes: Error	
89913	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\webinfo.dll	PATH NOT FOUND	Attributes: Error	
89914	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\msconfd.dll	FILE NOT FOUND	Attributes: Error	
89915	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\msconfd.dll	FILE NOT FOUND	Attributes: Error	
89916	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\msconfd.dll	FILE NOT FOUND	Attributes: Error	
89917	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\navext.dll	FILE NOT FOUND	Attributes: Error	
89918	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\navext.dll	FILE NOT FOUND	Attributes: Error	
89919	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\navext.dll	FILE NOT FOUND	Attributes: Error	
89920	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dnsrelay.dll	FILE NOT FOUND	Attributes: Error	
89921	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnsrelay.dll	FILE NOT FOUND	Attributes: Error	
89922	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnsrelay.dll	FILE NOT FOUND	Attributes: Error	
89923	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\msspi.dll	FILE NOT FOUND	Attributes: Error	
89924	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\msspi.dll	FILE NOT FOUND	Attributes: Error	
89925	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\msspi.dll	FILE NOT FOUND	Attributes: Error	
89926	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\xplugin.dll	FILE NOT FOUND	Attributes: Error	
89927	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\xplugin.dll	FILE NOT FOUND	Attributes: Error	
89928	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\xplugin.dll	FILE NOT FOUND	Attributes: Error	
89929	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dnserr.dll	FILE NOT FOUND	Attributes: Error	
89930	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnserr.dll	FILE NOT FOUND	Attributes: Error	
89931	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnserr.dll	FILE NOT FOUND	Attributes: Error	
89932	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dreplace.dll	FILE NOT FOUND	Attributes: Error	
89933	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dreplace.dll	FILE NOT FOUND	Attributes: Error	
89934	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dreplace.dll	FILE NOT FOUND	Attributes: Error	
89935	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\iempg2.dll	FILE NOT FOUND	Attributes: Error	
89936	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\iempg2.dll	FILE NOT FOUND	Attributes: Error	
89937	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\iempg2.dll	FILE NOT FOUND	Attributes: Error	
89938	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\gsim.dll	FILE NOT FOUND	Attributes: Error	
89939	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\gsim.dll	FILE NOT FOUND	Attributes: Error	
89940	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\gsim.dll	FILE NOT FOUND	Attributes: Error	
89941	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\ieasst.dll	FILE NOT FOUND	Attributes: Error	
89942	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\ieasst.dll	FILE NOT FOUND	Attributes: Error	
89943	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\ieasst.dll	FILE NOT FOUND	Attributes: Error	
89944	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\avpcc.dll	FILE NOT FOUND	Attributes: Error	
89945	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\avpcc.dll	FILE NOT FOUND	Attributes: Error	
89946	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\avpcc.dll	FILE NOT FOUND	Attributes: Error	
89947	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
89948	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
89949	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
89950	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\help_dcc.dll	FILE NOT FOUND	Attributes: Error	
89951	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\help_dcc.dll	FILE NOT FOUND	Attributes: Error	
89952	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\help_dcc.dll	FILE NOT FOUND	Attributes: Error	
89953	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\help_ecc.dll	FILE NOT FOUND	Attributes: Error	
89954	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\help_ecc.dll	FILE NOT FOUND	Attributes: Error	
89955	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\help_ecc.dll	FILE NOT FOUND	Attributes: Error	
89956	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\1.00.07.dll	FILE NOT FOUND	Attributes: Error	
89957	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\1.00.07.dll	FILE NOT FOUND	Attributes: Error	
89958	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\1.00.07.dll	FILE NOT FOUND	Attributes: Error	
89959	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\services\1.00.07.dll	PATH NOT FOUND	Attributes: Error	
89960	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\services\1.00.07.dll	PATH NOT FOUND	Attributes: Error	
89961	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\1.00.07.dll	PATH NOT FOUND	Attributes: Error	
89962	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\autosearch.dll	FILE NOT FOUND	Attributes: Error	
89963	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\autosearch.dll	FILE NOT FOUND	Attributes: Error	
89964	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\autosearch.dll	FILE NOT FOUND	Attributes: Error	
89965	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\coolwebsearch-info.dll	FILE NOT FOUND	Attributes: Error	
89966	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\coolwebsearch-info.dll	FILE NOT FOUND	Attributes: Error	
89967	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\coolwebsearch-info.dll	FILE NOT FOUND	Attributes: Error	
89968	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dnse.dll	FILE NOT FOUND	Attributes: Error	
89969	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnse.dll	FILE NOT FOUND	Attributes: Error	
89970	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnse.dll	FILE NOT FOUND	Attributes: Error	
89971	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mgs_32.dll	FILE NOT FOUND	Attributes: Error	
89972	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\mgs_32.dll	FILE NOT FOUND	Attributes: Error	
89973	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\mgs_32.dll	FILE NOT FOUND	Attributes: Error	
89974	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\searchaddon.dll	FILE NOT FOUND	Attributes: Error	
89975	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\searchaddon.dll	FILE NOT FOUND	Attributes: Error	
89976	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\searchaddon.dll	FILE NOT FOUND	Attributes: Error	
89977	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\sys_ext.dll	FILE NOT FOUND	Attributes: Error	
89978	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\sys_ext.dll	FILE NOT FOUND	Attributes: Error	
89979	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\sys_ext.dll	FILE NOT FOUND	Attributes: Error	
89980	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\toolband.dll	FILE NOT FOUND	Attributes: Error	
89981	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\toolband.dll	FILE NOT FOUND	Attributes: Error	
89982	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\toolband.dll	FILE NOT FOUND	Attributes: Error	
89983	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\webinfo.dll	FILE NOT FOUND	Attributes: Error	
89984	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\webinfo.dll	FILE NOT FOUND	Attributes: Error	
89985	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\webinfo.dll	FILE NOT FOUND	Attributes: Error	
89986	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\winres.dll	FILE NOT FOUND	Attributes: Error	
89987	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\winres.dll	FILE NOT FOUND	Attributes: Error	
89988	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winres.dll	FILE NOT FOUND	Attributes: Error	
89989	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\word10.dll	FILE NOT FOUND	Attributes: Error	
89990	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\word10.dll	FILE NOT FOUND	Attributes: Error	
89991	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\word10.dll	FILE NOT FOUND	Attributes: Error	
89992	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\excel10.dll	FILE NOT FOUND	Attributes: Error	
89993	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\excel10.dll	FILE NOT FOUND	Attributes: Error	
89994	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\excel10.dll	FILE NOT FOUND	Attributes: Error	
89995	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mtwirl32.dll	FILE NOT FOUND	Attributes: Error	
89996	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\mtwirl32.dll	FILE NOT FOUND	Attributes: Error	
89997	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\mtwirl32.dll	FILE NOT FOUND	Attributes: Error	
89998	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\xplugin.dlldreplace-unpacked.dll	FILE NOT FOUND	Attributes: Error	
89999	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\xplugin.dlldreplace-unpacked.dll	FILE NOT FOUND	Attributes: Error	
90000	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\xplugin.dlldreplace-unpacked.dll	FILE NOT FOUND	Attributes: Error	
90001	2:59:26 PM	iexplore.exe:800	SET INFORMATION  C:\WINDOWS\system32\config\software.LOG	SUCCESS	Length: 163840	
90007	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\IEToolbar\	FILE NOT FOUND	Options: Open Directory  Access: All	
90008	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\Inet Delivery\	FILE NOT FOUND	Options: Open Directory  Access: All	
90009	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\180solutions\	FILE NOT FOUND	Options: Open Directory  Access: All	
90010	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\bleh16\	FILE NOT FOUND	Options: Open Directory  Access: All	
90011	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\Internet Optimizer\	FILE NOT FOUND	Options: Open Directory  Access: All	
90012	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\ISTbar\	FILE NOT FOUND	Options: Open Directory  Access: All	
90013	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\ISTsvc\	FILE NOT FOUND	Options: Open Directory  Access: All	
90014	2:59:26 PM	iexplore.exe:800	OPEN	C:\Program Files\Power Scan\	FILE NOT FOUND	Options: Open Directory  Access: All	
90015	2:59:26 PM	iexplore.exe:800	OPEN	C:\WINDOWS\LastGood\	FILE NOT FOUND	Options: Open Directory  Access: All	
90016	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\System32\svc.exe	FILE NOT FOUND	Attributes: Error	
90017	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\iedll.exe	FILE NOT FOUND	Attributes: Error	
90018	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\loader.exe	FILE NOT FOUND	Attributes: Error	
90019	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\qttasks.exe	FILE NOT FOUND	Attributes: Error	
90020	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\TEMP\ADDCLASS.EXE	FILE NOT FOUND	Attributes: Error	
90021	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\SYSTEM\svcinit.exe	FILE NOT FOUND	Attributes: Error	
90022	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\SYSTEM32\svcinit.exe	FILE NOT FOUND	Attributes: Error	
90023	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mssys.exe	FILE NOT FOUND	Attributes: Error	
90024	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\SYSTEM\tapicfg.exe	FILE NOT FOUND	Attributes: Error	
90025	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\SYSTEM32\tapicfg.exe	FILE NOT FOUND	Attributes: Error	
90026	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\quicken.exe	FILE NOT FOUND	Attributes: Error	
90027	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\editpad.exe	FILE NOT FOUND	Attributes: Error	
90028	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\hosts	FILE NOT FOUND	Attributes: Error	
90029	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\drivers\etc\hosts	FILE NOT FOUND	Attributes: Error	
90030	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\SYSTEM32\ctfmon.exe	FILE NOT FOUND	Attributes: Error	
90031	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\winlogon.exe	FILE NOT FOUND	Attributes: Error	
90032	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\explore.exe	FILE NOT FOUND	Attributes: Error	
90033	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\sysinfo.exe	FILE NOT FOUND	Attributes: Error	
90034	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\control.exe	FILE NOT FOUND	Attributes: Error	
90035	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\System32\winservn.exe	FILE NOT FOUND	Attributes: Error	
90036	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\System32\soundmx.exe	FILE NOT FOUND	Attributes: Error	
90037	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\susp.exe	FILE NOT FOUND	Attributes: Error	
90038	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\shell.dll	FILE NOT FOUND	Attributes: Error	
90039	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\System32\shell.dll	FILE NOT FOUND	Attributes: Error	
90040	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mwsvm.exe	FILE NOT FOUND	Attributes: Error	
90041	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\frsk.exe	FILE NOT FOUND	Attributes: Error	
90042	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\Fonts\fonts.hta	FILE NOT FOUND	Attributes: Error	
90043	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\documents and settings\all users\startup\winlogon.exe	PATH NOT FOUND	Attributes: Error	
90044	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\documents settings\sistem.exe	PATH NOT FOUND	Attributes: Error	
90045	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\games\systemcritical.exe	PATH NOT FOUND	Attributes: Error	
90046	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\in\iefeatures.exe	PATH NOT FOUND	Attributes: Error	
90047	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\krroxwxigt.exe	FILE NOT FOUND	Attributes: Error	
90048	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\link.exe	FILE NOT FOUND	Attributes: Error	
90049	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\All Users\Start Menu\Programs\startup\msupdate.exe	FILE NOT FOUND	Attributes: Error	
90050	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\googlems.dll	FILE NOT FOUND	Attributes: Error	
90051	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\microsoft\office\excel10.dll	FILE NOT FOUND	Attributes: Error	
90052	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\microsoft\office\word10.dll	FILE NOT FOUND	Attributes: Error	
90053	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\application data\searchword.dll	FILE NOT FOUND	Attributes: Error	
90054	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\startup\winlogon.exe	PATH NOT FOUND	Attributes: Error	
90055	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\accessories\accesss.exe	PATH NOT FOUND	Attributes: Error	
90056	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\common files\microsoft shared\msinfo\info32.exe	FILE NOT FOUND	Attributes: Error	
90057	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\common files\microsoft shared\msinfo\msinfo.exe	FILE NOT FOUND	Attributes: Error	
90058	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\common files\system\systeem.exe	FILE NOT FOUND	Attributes: Error	
90059	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\common files\web folders\mswsc10.dll	PATH NOT FOUND	Attributes: Error	
90060	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\comsoft\dialers\hotaction_jp\hotaction_jp.exe	PATH NOT FOUND	Attributes: Error	
90061	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\autosearch.dll	PATH NOT FOUND	Attributes: Error	
90062	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\autose~1.dll	PATH NOT FOUND	Attributes: Error	
90063	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\install.exe	PATH NOT FOUND	Attributes: Error	
90064	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\searchaddon.dll	PATH NOT FOUND	Attributes: Error	
90065	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\search~1.dll	PATH NOT FOUND	Attributes: Error	
90066	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\toolbar.dll	PATH NOT FOUND	Attributes: Error	
90067	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\internet explorer\toolbar\webinfo.dll	PATH NOT FOUND	Attributes: Error	
90068	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\avpcc.dll	FILE NOT FOUND	Attributes: Error	
90069	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\bipw.exe	FILE NOT FOUND	Attributes: Error	
90070	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
90071	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\default.css	FILE NOT FOUND	Attributes: Error	
90072	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\editpad.exe	FILE NOT FOUND	Attributes: Error	
90073	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\explore.exe	FILE NOT FOUND	Attributes: Error	
90074	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\fonts\msoffice.hta	FILE NOT FOUND	Attributes: Error	
90075	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\help\helpcvs.exe	FILE NOT FOUND	Attributes: Error	
90076	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\help_dcc.dll	FILE NOT FOUND	Attributes: Error	
90077	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\help_ecc.dll	FILE NOT FOUND	Attributes: Error	
90078	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\iexplorer.exe	FILE NOT FOUND	Attributes: Error	
90079	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\inf\drvupd.inf	FILE NOT FOUND	Attributes: Error	
90080	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\inf\keymgr3.inf	FILE NOT FOUND	Attributes: Error	
90081	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\inf\oemsyspnp.inf	FILE NOT FOUND	Attributes: Error	
90082	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\kk8pwxm634.exe	FILE NOT FOUND	Attributes: Error	
90083	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\media\wmplayer.exe	FILE NOT FOUND	Attributes: Error	
90084	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\msconfd.dll	FILE NOT FOUND	Attributes: Error	
90085	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mssys.exe	FILE NOT FOUND	Attributes: Error	
90086	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\my.css	FILE NOT FOUND	Attributes: Error


#22 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 16 June 2004 - 07:59 PM

(cont.)

90087	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\navext.dll	FILE NOT FOUND	Attributes: Error	
90088	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\olehelp.exe	FILE NOT FOUND	Attributes: Error	
90089	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\qttasks.exe	FILE NOT FOUND	Attributes: Error	
90090	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\quicken.exe	FILE NOT FOUND	Attributes: Error	
90091	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\sistem.exe	FILE NOT FOUND	Attributes: Error	
90092	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\start menu\programs\accessories\game.exe	PATH NOT FOUND	Attributes: Error	
90093	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\1.00.07.dll	FILE NOT FOUND	Attributes: Error	
90094	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\astctl32.ocx	FILE NOT FOUND	Attributes: Error	
90095	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\autosearch.dll	FILE NOT FOUND	Attributes: Error	
90096	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\avpcc.dll	FILE NOT FOUND	Attributes: Error	
90097	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\bootconf.exe	FILE NOT FOUND	Attributes: Error	
90098	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\coolwebsearch-info.dll	FILE NOT FOUND	Attributes: Error	
90099	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\ctfmon32.exe	FILE NOT FOUND	Attributes: Error	
90100	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
90101	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnse.dll	FILE NOT FOUND	Attributes: Error	
90102	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnserr.dll	FILE NOT FOUND	Attributes: Error	
90103	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dnsrelay.dll	FILE NOT FOUND	Attributes: Error	
90104	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\dreplace.dll	FILE NOT FOUND	Attributes: Error	
90105	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\excel10.dll	FILE NOT FOUND	Attributes: Error	
90106	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\googlems.dll	FILE NOT FOUND	Attributes: Error	
90107	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\ietoolbar.dll	FILE NOT FOUND	Attributes: Error	
90108	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\mgs_32.dll	FILE NOT FOUND	Attributes: Error	
90109	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\msconfd.dll	FILE NOT FOUND	Attributes: Error	
90110	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\msspi.dll	FILE NOT FOUND	Attributes: Error	
90111	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\mupdate.exe	FILE NOT FOUND	Attributes: Error	
90112	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\navext.dll	FILE NOT FOUND	Attributes: Error	
90113	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\searchaddon.dll	FILE NOT FOUND	Attributes: Error	
90114	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\y.exe	PATH NOT FOUND	Attributes: Error	
90115	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\svchost32.exe	FILE NOT FOUND	Attributes: Error	
90116	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\svcinit.exe	FILE NOT FOUND	Attributes: Error	
90117	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\svcpack.exe	FILE NOT FOUND	Attributes: Error	
90118	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\sys_ext.dll	FILE NOT FOUND	Attributes: Error	
90119	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\toolband.dll	FILE NOT FOUND	Attributes: Error	
90120	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\wcadw.dll	FILE NOT FOUND	Attributes: Error	
90121	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\webinfo.dll	FILE NOT FOUND	Attributes: Error	
90122	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winlink.dll	FILE NOT FOUND	Attributes: Error	
90123	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winproc32.exe	FILE NOT FOUND	Attributes: Error	
90124	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winres.dll	FILE NOT FOUND	Attributes: Error	
90125	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\word10.dll	FILE NOT FOUND	Attributes: Error	
90126	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\xplugin.dll	FILE NOT FOUND	Attributes: Error	
90127	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\1.00.07.dll	FILE NOT FOUND	Attributes: Error	
90128	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\astctl32.ocx	FILE NOT FOUND	Attributes: Error	
90129	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\autosearch.dll	FILE NOT FOUND	Attributes: Error	
90130	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\avpcc.dll	FILE NOT FOUND	Attributes: Error	
90131	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\bootconf.exe	FILE NOT FOUND	Attributes: Error	
90132	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\coolwebsearch-info.dll	FILE NOT FOUND	Attributes: Error	
90133	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\ctfmon32.exe	FILE NOT FOUND	Attributes: Error	
90134	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\ctrlpan.dll	FILE NOT FOUND	Attributes: Error	
90135	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnse.dll	FILE NOT FOUND	Attributes: Error	
90136	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnserr.dll	FILE NOT FOUND	Attributes: Error	
90137	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dnsrelay.dll	FILE NOT FOUND	Attributes: Error	
90138	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\dreplace.dll	FILE NOT FOUND	Attributes: Error	
90139	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\excel10.dll	FILE NOT FOUND	Attributes: Error	
90140	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\googlems.dll	FILE NOT FOUND	Attributes: Error	
90141	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\ietoolbar.dll	FILE NOT FOUND	Attributes: Error	
90142	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\internet.exe	FILE NOT FOUND	Attributes: Error	
90143	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\mgs_32.dll	FILE NOT FOUND	Attributes: Error	
90144	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\msconfd.dll	FILE NOT FOUND	Attributes: Error	
90145	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\msspi.dll	FILE NOT FOUND	Attributes: Error	
90146	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\mtwirl32.dll	FILE NOT FOUND	Attributes: Error	
90147	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\mupdate.exe	FILE NOT FOUND	Attributes: Error	
90148	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\navext.dll	FILE NOT FOUND	Attributes: Error	
90149	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\searchaddon.dll	FILE NOT FOUND	Attributes: Error	
90150	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\services\1.00.07.dll	PATH NOT FOUND	Attributes: Error	
90151	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\svchost32.exe	FILE NOT FOUND	Attributes: Error	
90152	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\svcinit.exe	FILE NOT FOUND	Attributes: Error	
90153	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\svcpack.exe	FILE NOT FOUND	Attributes: Error	
90154	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\sys_ext.dll	FILE NOT FOUND	Attributes: Error	
90155	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\toolband.dll	FILE NOT FOUND	Attributes: Error	
90156	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\wcadw.dll	FILE NOT FOUND	Attributes: Error	
90157	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\webinfo.dll	FILE NOT FOUND	Attributes: Error	
90158	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\winlink.dll	FILE NOT FOUND	Attributes: Error	
90159	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\winres.dll	FILE NOT FOUND	Attributes: Error	
90160	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\word10.dll	FILE NOT FOUND	Attributes: Error	
90161	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system\xplugin.dll	FILE NOT FOUND	Attributes: Error	
90162	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\temp\addclass.exe	FILE NOT FOUND	Attributes: Error	
90163	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\web\oslogo.bmp	FILE NOT FOUND	Attributes: Error	
90164	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\web\tips.ini	FILE NOT FOUND	Attributes: Error	
90165	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\web\win.defadvapi32.def	FILE NOT FOUND	Attributes: Error	
90166	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\backdoor.sinit.c.exe	FILE NOT FOUND	Attributes: Error	
90167	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\bootconf.asm	FILE NOT FOUND	Attributes: Error	
90168	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\bootconf.txt	FILE NOT FOUND	Attributes: Error	
90169	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\control.exe	FILE NOT FOUND	Attributes: Error	
90170	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\cool web search  affiliate program.txt	FILE NOT FOUND	Attributes: Error	
90171	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\cool web search  affiliate program0.txt	FILE NOT FOUND	Attributes: Error	
90172	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\coolwebsearch.info.exe	FILE NOT FOUND	Attributes: Error	
90173	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\counterx.exe	FILE NOT FOUND	Attributes: Error	
90174	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\counterx.ex~	FILE NOT FOUND	Attributes: Error	
90175	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\dict.dat	FILE NOT FOUND	Attributes: Error	
90176	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\directx.exe	FILE NOT FOUND	Attributes: Error	
90177	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\dllimport.inc	FILE NOT FOUND	Attributes: Error	
90178	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\dreplace-unpacked.dll	FILE NOT FOUND	Attributes: Error	
90179	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\dwinf.exe	FILE NOT FOUND	Attributes: Error	
90180	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\f22776.exe	FILE NOT FOUND	Attributes: Error	
90181	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\filemon.log	FILE NOT FOUND	Attributes: Error	
90182	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\fntldr.exe	FILE NOT FOUND	Attributes: Error	
90183	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\hh.htt	FILE NOT FOUND	Attributes: Error	
90184	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ieak6.exe	FILE NOT FOUND	Attributes: Error	
90185	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ieaktext.txt	FILE NOT FOUND	Attributes: Error	
90186	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\iefeatures.ocx	FILE NOT FOUND	Attributes: Error	
90187	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ietoolbar.htm	FILE NOT FOUND	Attributes: Error	
90188	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ietoolbar.inf	FILE NOT FOUND	Attributes: Error	
90189	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\internetfeatures.exe	FILE NOT FOUND	Attributes: Error	
90190	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\kernel32.def	FILE NOT FOUND	Attributes: Error	
90191	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ld.exe	FILE NOT FOUND	Attributes: Error	
90192	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ld.exe report.txt	FILE NOT FOUND	Attributes: Error	
90193	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\ld.rsf	FILE NOT FOUND	Attributes: Error	
90194	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\links.dll	FILE NOT FOUND	Attributes: Error	
90195	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\load.exe	FILE NOT FOUND	Attributes: Error	
90196	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\loader.exe	FILE NOT FOUND	Attributes: Error	
90197	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\msahde.dll	FILE NOT FOUND	Attributes: Error	
90198	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\msfind.exe	FILE NOT FOUND	Attributes: Error	
90199	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\msg{c704f4e7-d57a-4fb6-9d81-fab8e6b88b0f}0115.dll	FILE NOT FOUND	Attributes: Error	
90200	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\msikmh.dll	FILE NOT FOUND	Attributes: Error	
90201	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\mstaskm.exe	FILE NOT FOUND	Attributes: Error	
90202	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\mswsc20.dll	FILE NOT FOUND	Attributes: Error	
90203	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\mtwcnl32.dll	FILE NOT FOUND	Attributes: Error	
90204	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\notepad.exe	FILE NOT FOUND	Attributes: Error	
90205	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\reg32.exe	FILE NOT FOUND	Attributes: Error	
90206	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\regmon.log	FILE NOT FOUND	Attributes: Error	
90207	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\rundll32.vbe	FILE NOT FOUND	Attributes: Error	
90208	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\rundll32.vbs	FILE NOT FOUND	Attributes: Error	
90209	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20030929.exe	FILE NOT FOUND	Attributes: Error	
90210	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20030929_unpacked.exe	FILE NOT FOUND	Attributes: Error	
90211	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20031008.exe	FILE NOT FOUND	Attributes: Error	
90212	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20031008_unpacked.exe	FILE NOT FOUND	Attributes: Error	
90213	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20031010.exe	FILE NOT FOUND	Attributes: Error	
90214	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20031010_unpacked.exe	FILE NOT FOUND	Attributes: Error	
90215	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\sinit-20031022_unpacked.exe	FILE NOT FOUND	Attributes: Error	
90216	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\soundmx.exe	FILE NOT FOUND	Attributes: Error	
90217	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\svchost.exe	FILE NOT FOUND	Attributes: Error	
90218	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\svchost.old	FILE NOT FOUND	Attributes: Error	
90219	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\tapicfg.exe	FILE NOT FOUND	Attributes: Error	
90220	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\toolband.inf	FILE NOT FOUND	Attributes: Error	
90221	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\trojan.win32.krepper.f.exe	FILE NOT FOUND	Attributes: Error	
90222	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\trojan.win32.madise.a.dll	FILE NOT FOUND	Attributes: Error	
90223	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\unpacked.exe	FILE NOT FOUND	Attributes: Error	
90224	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\valg.hta	FILE NOT FOUND	Attributes: Error	
90225	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\web.exe	FILE NOT FOUND	Attributes: Error	
90226	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\win.def	FILE NOT FOUND	Attributes: Error	
90227	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\Internet Explorer\3674.exe	FILE NOT FOUND	Attributes: Error	
90228	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Program Files\WebSiteViewer\123002.dlr	PATH NOT FOUND	Attributes: Error	
90229	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\cax.dll	FILE NOT FOUND	Attributes: Error	
90230	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\inakjoy.dll	FILE NOT FOUND	Attributes: Error	
90231	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\moakrtin.dll	FILE NOT FOUND	Attributes: Error	
90232	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\olehelp.exe	FILE NOT FOUND	Attributes: Error	
90233	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\wmplayer.exe	PATH NOT FOUND	Attributes: Error	
90234	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\sysquery1.exe	FILE NOT FOUND	Attributes: Error	
90235	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winec.dll	FILE NOT FOUND	Attributes: Error	
90236	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\Documents and Settings\Parents\Application Data\mssb.exe	FILE NOT FOUND	Attributes: Error	
90237	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\didduid.ini	FILE NOT FOUND	Attributes: Error	
90238	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dl.exe	FILE NOT FOUND	Attributes: Error	
90239	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dlm.exe	FILE NOT FOUND	Attributes: Error	
90240	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mssys.exe	FILE NOT FOUND	Attributes: Error	
90241	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\mstasks.exe	FILE NOT FOUND	Attributes: Error	
90242	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\preInsTT.exe	FILE NOT FOUND	Attributes: Error	
90243	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\reg33.exe	FILE NOT FOUND	Attributes: Error	
90244	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\sys.reg	FILE NOT FOUND	Attributes: Error	
90245	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\cmd.exe	FILE NOT FOUND	Attributes: Error	
90246	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\configs.exe	FILE NOT FOUND	Attributes: Error	
90247	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\i.exe	FILE NOT FOUND	Attributes: Error	
90248	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\p.exe	FILE NOT FOUND	Attributes: Error	
90249	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\q.exe	FILE NOT FOUND	Attributes: Error	
90250	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\search.page.html	FILE NOT FOUND	Attributes: Error	
90251	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\x.exe	FILE NOT FOUND	Attributes: Error	
90252	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\xxx.folder	FILE NOT FOUND	Attributes: Error	
90253	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\y.exe	FILE NOT FOUND	Attributes: Error	
90254	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\tmp.dll	PATH NOT FOUND	Attributes: Error	
90255	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\crontab.ini	PATH NOT FOUND	Attributes: Error	
90256	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\keywords.ini	PATH NOT FOUND	Attributes: Error	
90257	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\titles.ini	PATH NOT FOUND	Attributes: Error	
90258	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\services\sl.ini	PATH NOT FOUND	Attributes: Error	
90259	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\winupd.exe	FILE NOT FOUND	Attributes: Error	
90260	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\loadnew.exe	FILE NOT FOUND	Attributes: Error	
90261	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\secure.html	FILE NOT FOUND	Attributes: Error	
90262	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\dl.html	FILE NOT FOUND	Attributes: Error	
90263	2:59:26 PM	iexplore.exe:800	QUERY INFORMATION	C:\WINDOWS\system32\zznyz.dll	SUCCESS	Attributes: A

Notice that, unfortunately for me, it stopped searching right when it successfully found something--zznyz.dll. So ends the suspicious activity, as soon after, I was shutting down.

I greatly apologize if these lists are too long, but you can see everything this thing does, thanks to the logs. That's it from me for now. This thing reads and writes all over the place, from system files to registry keys.

There was more activity that I didn't post. The full log files are available on request, or you can download the file-monitoring tools yourself, linked to earlier.

Edited by rd_syringe, 16 June 2004 - 08:02 PM.


#23 McPick

McPick

    Member

  • New Member
  • Pip
  • 2 posts

Posted 16 June 2004 - 08:02 PM

I’ve been reading these discussions with great interest as I, too, am JACKED. I did follow the advice in Boobit’s section last night to visit www.liutilities.com to compare my HT scan file with Li’s lists. I found lots of weird junk on my computer, which I did delete, in and amongst trying to run all the various spy ware eliminators suggested in these threads. However, I kept getting repeat performances of the bugs… Finally, while discussing the matter with my son, he suggested I run msconfig and look at the information in the Start Menu. Much of what I was finding on my HT logs, including the phantom .exe’s, was there. I clicked them off, but don’t know how to eliminate them from the Start location. (Does anyone?) I also “Explored” my files and did a LENGTHY investigation of every file and folder I could, (normal and hidden) looking for suspicious files. I was amazed at how much I found. I assumed the spy ware removal tools would look at all the files, and maybe they did, however, when I finally got my daughter’s password and went into her files I was again amazed at how much junk was still there… After numerous scans. In fact, I don’t know why it’s happening, but Spy-Bot is being rendered useless, even now, when I try to remove the numerous items it locates when scanning in her location.
I wish I could be of more help with this bug, and I don’t even know if anything I’ve found and mentioned will help, but thanks to all of you for your efforts. If this all fails, I see a reformat in my future… Interestingly, I have been on line for an hour and haven’t had any of the usual last-several-days repeat performances… Dare I hope???

#24 beezer101

beezer101

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 16 June 2004 - 08:34 PM

I did the massive search and delete method in safe mode and up until now have not yet experienced the symptoms that have haunted me in my sleep for the past two nights. Basically since i havent used my computer since the outbreak i searched for files created that night and checked their validity and destroyed alot of them. What I did find extremely interesting was this, I had a file much like rd's d3rw32.exe, that was being very active in my logs. Mine was named d3ol32.exe. Anyway, there was another file set to run on startup (HKLM/Software/Microsoft/Windows/Current Version/Run) named crqz32.exe, and this file was running the whole time, and it was created may 20th, nearly three weeks beforehand. Peculiar.

Thanks for all the hard work RD and everyone else, lets hope beyond hope.

#25 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 08:46 PM

RD -

Wicked posts, man! Jesus, someone should rename this thread "The Spyware Chronicles". Brilliant investigative work.

There is only one thing left bothering me, and that is what might be controlling iexplore.exe to create the files? Since in safe mode it doesn't necessarily create anything. Do you think that all our infestations start out from one EXE or DLL file?

Great work again, I think we all deserve a round of applause ;)

#26 flarobb

flarobb

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 16 June 2004 - 09:44 PM

I too did the massive searcg and delete in safe mode and have not re-experienced the problem. Following EmXtrix instructions seemed to work though I am not sure I understand the need for it being done in safe mode.

#27 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2004 - 09:51 PM

I too did the massive searcg and delete in safe mode and have not re-experienced the problem. Following EmXtrix instructions seemed to work though I am not sure I understand the need for it being done in safe mode.

It didn't seem to work for me in normal startup - the spyware kept resurfacing. Safe mode probably prevents some of its essential scripting or loading functions. In any case, that's what worked for me so that's what I went with. I'm glad my formula has been working for people thus far!

Keep the feedback coming.

#28 admiralclarke

admiralclarke

    Member

  • New Member
  • Pip
  • 1 posts

Posted 16 June 2004 - 10:21 PM

EmXtrix, I followed your instructions. Everything seems fine at first when I go back to regulary mode. But within a short amount of time a process called sysqa.exe comes up on my task manager and my homepage is reset to another random dll. Sysqa.exe shows up in c:\windows\system32\. HiJackThis picked it up and I tried fixing it and deleting the actual file while in safe mode along with the dll file. But it keeps reappearing after I get back to normal mode.

#29 jrobe

jrobe

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 16 June 2004 - 10:26 PM

I am experiencing the same problems. Hijacked browser, popups, and a dialog box that says Office xp is installing components. Ever since my browser was hijacked I went into the add/remove programs app. I found a program I have not noticed before "Home Search Assistent". All the other programs when clicked on will tell you when they were installed in the frequency of use. Not this program. When I click on remove IE pops up and takes me to http:/t73.com. The words are russian and it looks like a porn site.

#30 pantyhose

pantyhose

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 17 June 2004 - 06:45 AM

Hi

I deleted everything and ran hijackthis and spybot etc all in safe mode

All seems to be good now with no come backs my offending file was addvs.exe

I also searched the reg file for any entries of this file and deleted them

The only thing I can not fix is I still have the home search assitant in the add remove of the control panel (but it no longer goes to the site when clicked)

Plus I can not search from the tool bar it just reports page not found and

http:///?%20 in the URL ?

Any help

#31 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 17 June 2004 - 08:18 AM

Pantyhose -

My "Home Search Assistant" entry is still there, too. I think you should be able to fix the search link in the registry (but I'm not absolutely sure).

admiralclarke -

The DLL will not be the only file you need to delete. There may be many, many others. The number of files it generates will probably vary from system to system. Best solution is to check two things:

- Your HiJack This while running in normal mode
and
- Your system processes in your task manager

Compare all running files with entries on LIUtilities.com. If it is not on that site, but in a physical location on your hard drive, delete it. According to the trend, most of the bad files (but not all) should be in C:\Windows\System32 . I had one or two in \Windows though.

#32 Casey33626

Casey33626

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 08:24 AM

I think I'm leaning towards reformatting and reinstalling software to be 100% sure this thing is gone. In fact, now that I've read this entire thread, I'm certain this is the best course of action.

#33 ryryslide

ryryslide

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 08:27 AM

If someone could submit their files to Lavasoft so they can incorporate this bug into their Adaware program I think we would all really appreciate it. Go to http://www.lavahelp.com/submit/ to do so.

You may also submit the files so that a fix can be made via Spybot Search and Destroy. The link for that is here.

Thank you very much.

#34 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 17 June 2004 - 08:27 AM

To get rid of Home Search Assistant from your Add/Remove Programs list, delete the following registry folder:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA

#35 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 17 June 2004 - 10:39 AM

For the time being - I am going to PIN this topic and direct the experts attention to it. Excellent investigative work here :)

#36 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 June 2004 - 11:07 AM

RD -

Wicked posts, man! Jesus, someone should rename this thread "The Spyware Chronicles". Brilliant investigative work.

There is only one thing left bothering me, and that is what might be controlling iexplore.exe to create the files? Since in safe mode it doesn't necessarily create anything. Do you think that all our infestations start out from one EXE or DLL file?

Great work again, I think we all deserve a round of applause ;)

That's a good question. I think whatever it is, it's the source of it all, and I had hoped to discover it scanning those logs, but I couldn't find anything. Something gets run on startup and controls the iexplore.exe process somehow. Perhaps it's just that so many random files are created, deleting one leaves another around. Yet something is still executing these processes on Windows startup.

The fact that safe mode seems to stop it is interesting and gives us a place to look for where it could be, obviously in some important startup system file. Before I attempt to clean my system, I'll run Ace Utilities on my registry and check out any invalid entries it detects. I also recommend that people run full virus scan on their systems after cleaning this off, just to be sure none of those trojan files are around.

#37 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 June 2004 - 11:23 AM

Our Experts are working on it.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#38 bodisattva

bodisattva

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 11:37 AM

Hello everyone,

Please excuse my total ignorance in manners and software as this is my first posting ever. This thread completely describes my spyware problem, however as a newbie I am very confused as to what the posted solution exactly is. Could you post a condensed set of directions for people like me?

#39 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 17 June 2004 - 03:11 PM

I did so on page 1, go back and check it out. It's a broad set up steps, so you may have to play around and alter it a bit, but it should work.

rd - I'll admit that I might have accidentally clicked yes on an ActiveX script (I clicked return and may have forgot to switch the clicked-option from Yes to No). It could have possibly created and executed an EXE and then deleted it shortly after to clean up its own tracks.

Today is Day 2 and I am still clean so far.

#40 GutFunk

GutFunk

    Member

  • New Member
  • Pip
  • 4 posts

Posted 17 June 2004 - 04:17 PM

I've had this problem and worked to fix it for 8 hours yesterday with no avail, and finally today, I went ahead and started to delete everything suspicious.

Emx and RD, thanks for your outstanding advice! I have finally had this thing cleaned off my system. (for now)

It's very important that you do delete EVERYTHING associated with this, a few dll's, .exe's and .bat's located in the windows and system32 directories. I haven't made any major changes or installations on my pc since may, so anything suspcious that was made after may, I canned them. Some of the files date may 20th, which is why I didn't delete them earlier, assuming that all the files were created on june 16th (the day I got it).

Once again, thanks guys for all your effort. It pays off, and hopefully a fix or update to something will fix this problem for those of us still having trouble with this highly annoying piece of junk.

#41 rd_syringe

rd_syringe

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 17 June 2004 - 04:18 PM

My brother has relayed to me that "Shopping Wizard" has now appeared in the Add/Remove Programs dialog, and attempting to remove it takes you to the same website "Home Search Assistent" does.

He's run safe mode and gone through the process of deleting the files and so on, and he says so far it hasn't returned. It's good that the home page isn't being hijacked and popups aren't occuring, but there's no way of knowing how much of the spyware is still left sitting around and what it's capable of doing, so I'll keep checking up on what I can.

#42 MI43

MI43

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 June 2004 - 04:36 PM

Something i should tell you all which was really intriguing when i was trying to fix the DLL hijacker problem. First i went into safe mode, there i used Spybot revealing that i had CoolWWWsearch.mshp but i didn't fix them yet, i just left it. Then i ran Hijackthis and had the usual :// programs that keep coming back.

I went into C:/WINDOWS finding the usual programs, except i've found about 200 DAP files with titles like assad or wopasd just random names. I checked each 'DAP' file in C:/WINDOWS finding all those names with meaningless letters were created today, yesterday, or before yesterday, the same time the :// problem started occuring for me. I took me a good hour to check all those programs to see when they were made, and then deleted them, almost all of them had random letters as titles, some with 32, then i went back and re-checked that i hadn't missed deleting any file with strange random letters for its name, because i had a hunch that if one file was left un-deleted, the door would still be open for more of those files to pour in (i had close to 200 in the recycle bin!).

Nonetheless i deleted any and all files that were created in those 3 days because i knew i hadn't dl'ed anything then. Then i cleared my recycle bin of them. Afterward, all of this happening in safe mode, i cleared the still opened Hijackthis spyware, and check fixed the CoolWWWSearch.mshp files in Spybot, then i restarted w/o Safemode, and the weirdest thing is as Windows started up, a message appeared saying "RUNDLL32 Not Found." with the red X and OK button. This is the program that would always kick in each time Windows started.

Edits in bold.

Edited by MI43, 17 June 2004 - 05:38 PM.


#43 photo11401

photo11401

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 05:01 PM

I finally got it wiped out after 3 days of reading this thread!

Here's a helpful tip: in safe mode open C:\windows and sort the files by date with most recent on top. Select detail view by right clicking. Search for all recent files with 89kb, 12kb, or 70kb or 1kb and usually 5 characters followed by .dll, .exe, or .dat. Some had the following syntax n_6characters.dat. (I chose to rename all the bad files with a "1" in front of each filename incase I chose a bad file I could restore it - see complete list below). I found the earliest date was 5/17/04 and everything previous to that was OK. Next go to C:\windows\system32 and do the same thing.

Here are the files that I renamed (ignore the leading digit "1"):

Directory of C:\WINDOWS

05/18/2004 05:29 71,680 1ahthl.dll
05/26/2004 10:44 71,534 1befka.dll
05/18/2004 06:15 1,009 1blfov.dat
05/28/2004 02:58 1,009 1bzpuy.dat
06/11/2004 09:46 28,160 1crzd32.exe
06/15/2004 12:16 11,592 1dqzco.dat
06/09/2004 08:32 11,592 1dslme.dat
05/22/2004 04:13 11,388 1eakub.dat
06/16/2004 02:49 11,592 1eddsq.dat
06/05/2004 07:33 71,680 1fqiby.dll
05/22/2004 02:40 71,534 1fuzhr.dll
06/14/2004 02:20 71,680 1gglrx.dll
05/18/2004 05:31 71,534 1hgwem.dll
05/17/2004 07:56 11,388 1hqrlw.dat
06/09/2004 12:19 71,680 1inmmk.dll
06/03/2004 12:51 1,009 1iyxbd.dat
05/22/2004 03:34 71,680 1kmpem.dll
05/21/2004 12:54 71,680 1luwzi.dll
06/01/2004 06:50 28,160 1lzlncc.dat
06/15/2004 07:44 9,216 1msto32.exe
05/29/2004 03:19 71,680 1muugd.dll
05/22/2004 09:59 11,592 1mzhol.dat
05/23/2004 12:13 1,009 1mztjy.dat
05/23/2004 12:13 71,680 1mztjy.dll
05/21/2004 07:09 11,388 1nczcg.dat
06/15/2004 12:43 11,592 1nelfi.dat
05/22/2004 10:00 91,136 1noevne.dat
06/16/2004 01:07 11,592 1nwaxn.dat
05/17/2004 11:27 91,136 1n_afkkfb.dat
06/01/2004 11:07 91,136 1n_bkemqf.dat
06/11/2004 02:35 91,136 1n_durher.dat
05/23/2004 12:13 91,136 1n_mztjyu.dat
06/15/2004 05:24 91,136 1n_pnrgtp.dat
06/05/2004 05:55 28,160 1n_pvrawe.dat
06/04/2004 03:42 91,136 1n_rrsgvl.dat
06/01/2004 08:58 11,388 1ouler.dat
06/11/2004 01:17 11,592 1pbucw.dat
06/11/2004 05:24 11,388 1pdznf.dat
06/14/2004 02:20 1,009 1peiho.dat
05/26/2004 04:41 11,592 1pgsny.dat
06/04/2004 10:36 71,680 1piugj.dll
06/14/2004 09:31 11,592 1pkttv.dat
06/15/2004 01:43 11,591 1poshw.dat
05/21/2004 02:10 1,009 1pxpeh.dat
06/02/2004 12:34 11,388 1qtgbb.dat
06/01/2004 12:49 71,680 1riplx.dll
06/08/2004 09:57 71,680 1rrvir.dll
06/15/2004 10:48 11,388 1rtebz.dat
06/14/2004 06:25 32,256 1sdkqh32.dll
06/11/2004 03:31 28,160 1sdkwa.exe
06/07/2004 05:40 91,136 1sobrpv.dat
06/09/2004 03:04 11,592 1tomdf.dat
05/20/2004 09:42 11,592 1uuxor.dat
06/03/2004 09:34 11,592 1vjopb.dat
05/18/2004 06:15 71,680 1voyki.dll
06/09/2004 02:36 11,592 1wgkli.dat
06/03/2004 07:09 71,680 1wvjre.dll
05/25/2004 03:13 11,388 1wzpgl.dat
06/09/2004 11:33 11,388 1xipln.dat
05/18/2004 06:15 11,388 1xtrzb.dat
05/30/2004 10:58 11,388 1zdrdb.dat
06/13/2004 07:52 1,009 1zehek.dat
62 File(s) 2,324,260 bytes
0 Dir(s) 8,858,603,520 bytes free

Directory of C:\WINDOWS\SYSTEM32

06/09/2004 01:38 28,160 1appsg32.exe
06/11/2004 11:31 71,680 1cruwa.dll
05/24/2004 12:56 9,216 1d3xb32.exe
06/06/2004 03:37 11,592 1epfsq.dat
06/11/2004 11:32 11,388 1evxpi.dat
06/02/2004 04:32 11,592 1exokt.dat
06/05/2004 07:33 1,009 1eydhw.dat
05/28/2004 11:45 1,009 1fzjuc.dat
05/26/2004 08:50 1,009 1galcf.dat
05/28/2004 07:33 1,009 1huypm.dat
05/30/2004 11:50 11,388 1hviuu.dat
06/08/2004 06:57 91,136 1ieje32.dll
05/28/2004 03:50 8,704 1ievv32.exe
06/01/2004 10:25 1,009 1ihxth.dat
05/24/2004 05:55 9,216 1ippw.exe
06/16/2004 02:32 0 1ipxp.exe
06/14/2004 11:56 1,009 1krcgn.dat
06/07/2004 11:36 11,592 1mgoho.dat
06/08/2004 09:27 11,388 1mjllz.dat
05/28/2004 03:31 90,101 1msvx.dll
05/20/2004 03:45 71,534 1nbmml.dll
06/08/2004 01:46 11,591 1owbon.dat
06/02/2004 05:52 1,009 1qpkjn.dat
05/21/2004 02:58 1,009 1qsdzy.dat
06/08/2004 09:57 1,009 1rgpog.dat
06/05/2004 07:32 90,101 1sdkex.dll
06/02/2004 08:08 28,160 1sdkfi.exe
06/09/2004 12:17 11,592 1sgtxn.dat
06/07/2004 05:14 11,388 1svvgf.dat
05/21/2004 01:40 90,112 1syskd32.dll
06/14/2004 11:06 91,136 1syslc.dll
06/14/2004 02:35 1,009 1tbhmt.dat
06/13/2004 07:22 1,009 1tgpxs.dat
05/22/2004 06:28 1,009 1thgyx.dat
05/24/2004 12:02 11,592 1ttoou.dat
05/30/2004 11:55 11,388 1vbdfl.dat
05/27/2004 11:00 1,009 1vdhkg.dat
05/20/2004 02:24 11,592 1vsrxv.dat
06/04/2004 04:13 11,592 1vxmkq.dat
06/08/2004 12:13 1,009 1vzwza.dat
06/08/2004 12:13 71,680 1vzwza.dll
05/26/2004 03:00 11,592 1wpkrc.dat
06/14/2004 02:20 11,388 1xhiex.dat
06/02/2004 04:46 1,009 1zonni.dat
46 File(s) 943,110 bytes
8 Dir(s) 8,858,603,520 bytes free

C:\WINDOWS\SYSTEM32>

Note that some exe's in this dir were only 4 characters.exe

I hope this helps!!! Oh, after this I ran HiJackThis and cleared out all temp directories as detailed in previous threads and ran spybot and hijackthis again before rebooting. Can someone analyze the above files before I delete them permanently to verify they are all part of the spyware hijacking?

I have only one remaining problem: I still have the office installer popup only when opening internet explorer (I have to cancel 3 times). I knew NOTHING about spyware 3 days ago. Thank you everyone for all the great information!!!

#44 EmXtrix

EmXtrix

    Visionary

  • Full Member
  • Pip
  • 12 posts

Posted 17 June 2004 - 05:02 PM

RunDLL32 is a necessary part of Windows, I think. It loads the DLLs so that Windows can use them, so of course the Spyware would utilize this.

And yes - this is indeed one of the best Spyware threads available :D

Edited by EmXtrix, 17 June 2004 - 05:04 PM.


#45 Beasley

Beasley

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 05:07 PM

I had a bad infestation last week. I got rid of some stuff that seemed related to the Peper trojan, from some posts that I read. It looked to me like there were two programs running all the time, watching the registry and each other. The programs seemed to have random 5-character names (+.exe). If you closed one out with Task Manager, another would appear almost immediately. Similarly, if you found the HJT entry (in Windows\System32) for different random-name programs, you could delete it, but when you ran HJT again there would be another one. I saw about 6-8 names, updating in a cycle.

I made note of the entry in HJT, but did not delete it yet. Instead, I restarted the machine in safe mode with Command Line. Then I entered attrib -h -s <filename> to clear the hidden and system flags for the bad guy, and I deleted the exe. In this one, the exe was always set to hidden and system so you couldn't see it easily, and you couldn't readily delete it. (attrib -r will get rid of the read-only attribute, for those of you who have misplaced your DOS books. I found a couple of those, too.) Finally, I restarted normally and ran HJT to delete the offending exe.

#46 madgeronimo

madgeronimo

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 17 June 2004 - 05:08 PM

i'm going to try all this... thanks for the excellent work folks... it looks like progress is being made...

#47 garon

garon

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2004 - 05:14 PM

I have this virus as well, I ran Norton to see if it would pick up anything and it did find several files. Norton has Quarantined some files but not all but four files. If you guys are intrested in what I found I can post what Norton found here for you can check out my Post. The norton post should be towards the bottom.

http://www.spywarein...t=0

#48 Drewmeister

Drewmeister

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 17 June 2004 - 05:30 PM

By the way, based on the file and process monitoring posted before, I also found two related files in the windows prefetch directory. I don't think these by themselves would do anything, but you might want to delete them just for completeness sake.

#49 MI43

MI43

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 17 June 2004 - 05:40 PM

I edited my last post clearly on wiping out the :// menace.
The workable method i used was essentially making sure every last possible file must be deleted, if one is left, it still had the door open for more possible ones to come in.

Edited by MI43, 17 June 2004 - 05:41 PM.


#50 frontacct

frontacct

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 June 2004 - 05:47 PM

I've been preventing and removing spyware with the basic tools out there for some time now but I'm by no means an expert like some of the folks posting here. It's made for great reading (I discovered this site today) and I'm quite impressed with the collaboration of everyone posting.

What I'm really curious about is what are circumstances are common to everyone that triggered the installation of this spyware in the first place? Has any attempt been made to isolate its source? Can it be blocked by using some readily-available tools (SpywareBlaster and SpyBot each have "immunization tools" but I don’t know if they would protect against this infection), by changing settings in your browser (it seems like this just affect IE, so ActiveX or scripting controls), or changing browsers altogether (Mozilla)?

Thanks for the quality posts and replies!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button