Jump to content


Photo

It KEEPS coming BACK ...!!!!!


  • Please log in to reply
23 replies to this topic

#1 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 12:29 PM

Hi...please help i have a worm that keeps coming back no matter what....I use CWShredder and I downloaded hijackthis...(here is the log).....please help...when I go to windows XP update it says that I dont need any patches......thanks....MK


Logfile of HijackThis v1.97.7
Scan saved at 10:26:54 AM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Documents and Settings\Kerk\Application Data\uhae.exe
C:\WINDOWS\System32\wtscc.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\unzipped\hijackthis[1]\HijackThis.exe
C:\unzipped\cwshredder\CWShredder.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\idhb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.quicken.com/myfinances/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: WebBlinds - {4F92B827-1E56-4E30-A978-A17A7861A606} - C:\PROGRA~1\OBJECT~1\WEBBLI~1\webblinds.dll
O2 - BHO: (no name) - {90B7AF1D-F598-4A48-8BDD-6EB4266891F3} - C:\WINDOWS\System32\idhb.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [Uhtr] C:\Documents and Settings\Kerk\Application Data\uhae.exe
O4 - HKCU\..\Run: [WAPI] C:\WINDOWS\System32\wtscc.exe
O4 - Startup: YahooPOPs.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.co.../cx_tgctlcm.jsp
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8112.6336342593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 19 May 2004 - 04:32 PM

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.
Posted Image

#3 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 19 May 2004 - 05:16 PM

Daemon:

Thanks a bunch....here it goes......

C:\WINDOWS\System32\msbh.dll

another thing is that when the pc startsthere is a window that says "P sear1" on the blue part of the window and nothing else.....can you help...MK

#4 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 20 May 2004 - 02:30 PM

PLEASE HELP ...anybody!!!!!!

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 20 May 2004 - 04:17 PM

Use the Registrar Lite program. Navigate to (you can type the line directly into reglite address bar and hit 'go'):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Rename the Windows key in the left pane to something else - for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NotWindows

(You should now be able to clear the hidden contents of the AppInit_DLLs value in the right pane without being undone by the hidden process.)

DoubleClick "Appinit_Dlls" value on right pane and erase the data on the lower box (in value field):

"C:\WINDOWS\System32\msbh.dll", hit 'apply' and 'ok' to set.

Rename NotWindows back to Windows in the left pane, close Registrar Lite and reboot the computer. If all goes well the hidden process will not run at startup and you should now be able to find and *see* the msbh.dll in C:\WINDOWS\System32.

Using Explorer go to your root drive: C:\ and create new folder, name it: 'Junk'. Unzip and run Winfile from here. Open it up, click File>Move...

Copy and paste this into the 'From' box: C:\WINDOWS\System32\msbh.dll
Copy and paste this into the 'To' box: C:\Junk\msbh.dll

Hit OK. Close Winfile and check in C:\Junk for that file - let me know what's there. If it's there, re-run CWShredder, hit 'fix' as opposed to 'scan only'. Reboot when done. Run HJT and post a new log for the final steps.
Posted Image

#6 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 May 2004 - 03:27 PM

Hi again ...Im so sorry but Im not a computer wiz....is there any way that you canrepeat the above instructions guiding me step by step with little kid vocabulary....again sorry ...but i do really need to fix this nightmare........MK

#7 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 May 2004 - 03:31 PM

more exactly ...I cant modify the windows name on the "left bar".....

but please tell me step by step like if you were talking to an idiot....thanks.......again...MK

#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 22 May 2004 - 04:30 PM

I thought it was little kid vocabulary :p Just kidding - there is an alternative method that you may be more comfortable with.

Download 'Dllfix.exe' from http://tools.zerosrealm.com/dllfix.exe

It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

At the main menu, press '2' (Run Fix) and enter.

At the second menu, press '1' (Enter DLL Name Manually) and enter. At the prompt, enter: msbh.dll

Your system will reboot in 15 seconds and begin the fix.

When finished, there will be a log (log.txt) in the dllfix folder. Post it in your next reply.
Posted Image

#9 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 25 May 2004 - 01:45 AM

so far so good.....you just dont know how much I appreciate this....you guys are like the AAA of the internet......MK.......waiting for your reply...Question .....How do I prevent from happening again???????




CWSDLL Appinit Fix By Shadowwar
Please Do not mirror Without Permission!
I can be contacted at spywaresubmit at aol.com
Mon 05/24/2004
11:34 PM

Backing up Registry Hive

The operation completed successfully

Deleting Windows Key

The operation completed successfully

Adding Test Windows Key

The operation completed successfully

Restoring temp Values Key

The operation completed successfully

Deleting Bad Appinit Value

The operation completed successfully


Backup of Modified Hiv

The operation completed successfully

Deleting test Windows key

The operation completed successfully

Adding Back Windows Key

The operation completed successfully

Restoring Registry Hive

The operation completed successfully


Restoring Cleaned Appinit Value

The operation completed successfully

Deleting Filter text/plain
Deleting Filter text/html
Running from C:\Documents and Settings\Kerk\Desktop\dllfix

Processing File Manually
C:\WINDOWS\system32\msbh.dll
Md5 Check of C:\WINDOWS\system32\msbh.dll

Md5 tested As C185B36F9969D3A6D2122BA7CBC02249
Md5 matched known baddies.
Processing and Deleting File.
Processing ACL of: <\\?\C:\WINDOWS\system32\msbh.dll>

SetACL finished successfully.

File was successfully Deleted.
Please Run Hijackthis or Cwshredder to finish cleanup.

#10 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 25 May 2004 - 01:54 AM

OK this is hijack log ...cause shredder says everything is fine.....but hijack says....
Hijacked internet access by new.netso its looks like its not done quite yet huh?????
God Bless you guys........MK



Logfile of HijackThis v1.97.7
Scan saved at 11:49:22 PM, on 5/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\AIM\AIMWDI~1.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicken.com/myfinances
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicken.com/myfinances
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.quicken.com/myfinances/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: WebBlinds - {4F92B827-1E56-4E30-A978-A17A7861A606} - C:\PROGRA~1\OBJECT~1\WEBBLI~1\webblinds.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [AIMWDInstallFilename] C:\PROGRA~1\AIM\AIMWDI~1.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: YahooPOPs.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8112.6336342593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} (EPlugin Control) - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 May 2004 - 02:13 AM

Click Start>Settings>Control Panel>Add or Remove Programs and uninstall New.Net.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HJT and post a new log here so that any remnants can be removed manually.
Posted Image

#12 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 25 May 2004 - 02:04 PM

OK...this is the log from Adaware.......but the messege from Norton antivirus ...keeps poping up about different bugs and trojans......shredder says everything is ok..........please let me know if there is something I can do to prevent from happening again....its driving me nuts...everytime I think is gone..it comes back.....like a RASH!!!!!!!................thanks......MK



Lavasoft Ad-aware Professional Build 158
Logfile created on :Tuesday, May 25, 2004 10:08:14 AM
Using reference-file :0R150 05.07.2003
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives


Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-25-2004 4:53:26 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:27 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:28 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:59:11 PM
Last accessed : 5/25/2004 4:53:28 PM
Last modified : 9/3/2002 4:59:11 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:28 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:39:51 PM
Last accessed : 5/25/2004 4:53:34 PM
Last modified : 9/3/2002 4:39:51 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:29 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/25/2004 4:53:38 PM
Last modified : 9/3/2002 5:05:32 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:53:29 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/25/2004 4:53:38 PM
Last modified : 9/3/2002 5:05:32 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:32 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 5:04:18 PM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 9/3/2002 5:04:18 PM

#:8 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-25-2004 4:53:33 PM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 2/21/2004 10:33:09 AM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 11/10/2003 9:30:12 PM

#:9 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 4:53:33 PM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:28:50 PM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 9/3/2002 4:28:50 PM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-25-2004 4:53:34 PM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 2/27/2002 6:29:26 PM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 2/27/2002 6:29:26 PM

#:11 [scsiaccess.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:53:34 PM
BasePriority : Normal
FileSize : 177 KB
Created on : 2/4/2003 4:22:30 PM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 2/4/2003 4:22:30 PM

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:53:34 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/25/2004 4:53:38 PM
Last modified : 9/3/2002 5:05:32 PM

#:13 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM32\ZoneLabs\
ThreadCreationTime : 5-25-2004 4:53:34 PM
BasePriority : Normal
FileSize : 805 KB
FileVersion : 4.5.530.000
ProductVersion : 4.5.530.000
Copyright : Copyright 1998-2003, Zone Labs Inc.
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 3/17/2004 8:08:52 PM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 11/16/2003 1:19:40 AM

#:14 [wfxsvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:53:35 PM
BasePriority : Normal
FileSize : 126 KB
FileVersion : 10.00.2000.0214
ProductVersion : 10.00
Copyright : Copyright Symantec Corporation. 1990-2000
CompanyName : Symantec Corporation
FileDescription : Symantec WinFax PRO NT Service
InternalName : WFXSVC
ProductName : Symantec WinFax PRO
Created on : 10/3/2003 8:53:01 AM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 2/15/2000 12:36:22 AM

#:15 [sdmcp.exe]
FilePath : C:\PROGRA~1\COMMON~1\Stardock\
ThreadCreationTime : 5-25-2004 4:54:40 PM
BasePriority : Normal
FileSize : 248 KB
FileVersion : 0, 0, 5, 8
ProductVersion : 0, 0, 5, 8
Copyright : Copyright 2002
CompanyName : Stardock
FileDescription : MCPServer
InternalName : MCP
OriginalFilename : SDMCP.exe
ProductName : Stardock MCP Core Services (System Extensions and Hooks)
Created on : 11/14/2003 1:53:52 AM
Last accessed : 5/25/2004 4:53:26 PM
Last modified : 11/14/2003 1:53:52 AM

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-25-2004 4:54:45 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:32:50 PM
Last accessed : 5/25/2004 5:01:49 PM
Last modified : 9/3/2002 4:32:50 PM

#:17 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ThreadCreationTime : 5-25-2004 4:54:47 PM
BasePriority : Normal
FileSize : 673 KB
FileVersion : 4.5.530.000
ProductVersion : 4.5.530.000
Copyright : Copyright 1998-2003, Zone Labs Inc.
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 3/17/2004 8:08:55 PM
Last accessed : 5/25/2004 5:02:20 PM
Last modified : 11/16/2003 1:20:28 AM

#:18 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ThreadCreationTime : 5-25-2004 4:54:47 PM
BasePriority : Normal
FileSize : 73 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.EXE
ProductName : Norton AntiVirus
Created on : 2/27/2002 6:27:58 PM
Last accessed : 5/25/2004 4:54:49 PM
Last modified : 2/27/2002 6:27:58 PM

#:19 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:54:47 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.3762
ProductVersion : 7.0.0.3762
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 4/7/2004 6:32:36 PM
Last accessed : 5/25/2004 4:54:47 PM
Last modified : 2/10/2004 5:51:30 PM

#:20 [wfxsnt40.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:54:47 PM
BasePriority : Normal
FileSize : 42 KB
FileVersion : 7.00 (Build 019)
ProductVersion : 7.00 (Build 019)
Copyright : Copyright © Symantec Corp. 1990-1997
CompanyName : Microsoft Corporation
FileDescription : Delrina Fax Port Launcher
InternalName : WFXSNT40.DLL
OriginalFilename : WFXSNT40.DLL
ProductName : Microsoft ® Windows NT™ WinFax Printer Driver
Created on : 10/3/2003 8:53:01 AM
Last accessed : 5/25/2004 4:54:47 PM
Last modified : 2/15/2000 12:36:22 AM

#:21 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 5-25-2004 4:54:47 PM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 6:44:46 AM
Last accessed : 5/25/2004 4:54:47 PM
Last modified : 2/23/2004 6:44:44 AM

#:22 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-25-2004 4:54:48 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright RealNetworks, Inc. 1995-2002
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 11/9/2003 8:11:44 AM
Last accessed : 5/25/2004 4:54:48 PM
Last modified : 11/9/2003 8:11:44 AM

#:23 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-25-2004 4:54:49 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 5/1/2004 6:54:16 AM
Last accessed : 5/25/2004 4:54:49 PM
Last modified : 1/26/2004 5:46:48 PM

#:24 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 5-25-2004 4:54:49 PM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.75.302
ProductVersion : 9.75.302
Copyright : © 1987-2002 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 3/18/2004 10:24:36 PM
Last accessed : 5/25/2004 4:56:44 PM
Last modified : 11/21/2002 5:50:00 PM

#:25 [ppmemcheck.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-25-2004 4:54:49 PM
BasePriority : Normal
FileSize : 145 KB
Created on : 3/17/2004 9:47:24 AM
Last accessed : 5/25/2004 4:54:52 PM
Last modified : 10/16/2002 5:16:54 AM

#:26 [aimwdi~1.exe]
FilePath : C:\PROGRA~1\AIM\
ThreadCreationTime : 5-25-2004 4:54:51 PM
BasePriority : Normal
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright © 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer

#:27 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-25-2004 4:54:53 PM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:56:58 PM
Last accessed : 5/25/2004 5:02:04 PM
Last modified : 9/3/2002 4:56:58 PM

#:28 [cursorxp.exe]
FilePath : C:\Program Files\CursorXP\
ThreadCreationTime : 5-25-2004 4:54:53 PM
BasePriority : High
FileSize : 122 KB
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
Copyright : Copyright 2001-2003 RiccioSoft, Copyright 2001-2003 Stardock.net, Inc.
CompanyName :
FileDescription : CursorXP
InternalName : CursorXP
OriginalFilename : CursorXP.exe
ProductName : Stardock CursorXP
Created on : 10/21/2003 5:26:33 AM
Last accessed : 5/25/2004 5:01:49 PM
Last modified : 3/2/2003 12:40:20 AM

#:29 [desktop calendar.exe]
FilePath : C:\Program Files\Desktop Calendar\
ThreadCreationTime : 5-25-2004 4:54:54 PM
BasePriority : Normal
FileSize : 432 KB
FileVersion : 0.04 0

ProductVersion : 0.04 D"
CompanyName : Home 8
InternalName : Desktop Calendar T*OriginalFile
OriginalFilename : Desktop Calendar.exe ?????? ????4
ProductName : DC Loading ,
FileVe
Created on : 4/11/2003 11:20:04 PM
Last accessed : 5/25/2004 5:01:49 PM
Last modified : 4/11/2003 11:20:04 PM

#:30 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 5-25-2004 4:54:58 PM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright © 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 5/23/2004 8:01:20 PM
Last accessed : 5/25/2004 4:54:58 PM
Last modified : 2/25/2004 6:48:26 PM

#:31 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-25-2004 4:55:00 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001 8Produc
ProductVersion : 2.02.0001 0Intern
Copyright : Copyright © 2002-2003 Javacool Software LLC <ProductName SpywareGuard 4FileVersion
FileDescription : SpywareGuard ?\LegalCop
InternalName : sgmain @Or
OriginalFilename : sgmain.exe ??? ???
ProductName : SpywareGuard 4FileVers
Created on : 8/30/2003 2:05:35 AM
Last accessed : 5/25/2004 4:55:00 PM
Last modified : 8/30/2003 2:05:35 AM

#:32 [yahoopops.exe]
FilePath : C:\Program Files\YahooPOPs\
ThreadCreationTime : 5-25-2004 4:55:00 PM
BasePriority : Normal
FileSize : 440 KB
FileVersion : 0, 5, 0, 0
ProductVersion : 0, 5, 0, 0
Copyright : Copyright © 2002 - 2003, The YahooPOPs! Team
CompanyName : http://yahoopops.sourceforge.net
FileDescription : Free POP3/SMTP access to Yahoo! Mail
InternalName : YahooPOPs!
OriginalFilename : YahooPOPs.exe
ProductName : YahooPOPs!
Created on : 8/3/2003 11:47:58 PM
Last accessed : 5/25/2004 5:02:20 PM
Last modified : 8/3/2003 11:47:58 PM

#:33 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-25-2004 4:55:04 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001 8Produc
ProductVersion : 2.02.0001 , Intern
Copyright : Copyright © 2002-2003 Javacool Software LLC. `@ProductName SG Browser Hijacking Protecti
FileDescription : SG Browser Hijacking Protection ?^LegalCopyright Copyright ©
InternalName : sgbhp <Or
OriginalFilename : sgbhp.exe ?????
ProductName : SG Browser Hijacking Protection 4FileVersion 2.02.0001 8Pr
Created on : 8/29/2003 6:14:56 PM
Last accessed : 5/25/2004 4:55:04 PM
Last modified : 8/29/2003 6:14:56 PM

#:34 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-25-2004 4:56:12 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/25/2004 5:02:20 PM
Last modified : 8/29/2002 11:00:00 AM

#:35 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-25-2004 4:56:56 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft Windows Operating System
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/25/2004 5:02:20 PM
Last modified : 8/29/2002 11:00:00 AM

#:36 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:01:11 PM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:28:48 PM
Last accessed : 5/25/2004 5:01:11 PM
Last modified : 9/3/2002 4:28:48 PM

#:37 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-25-2004 5:01:12 PM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
Copyright : Microsoft Corporation. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft Windows Operating System
Created on : 9/3/2002 4:28:48 PM
Last accessed : 5/25/2004 5:01:11 PM
Last modified : 9/3/2002 4:28:48 PM

#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-25-2004 5:04:33 PM
BasePriority : Normal
FileSize : 760 KB
FileVersion : 6.0.1.158
ProductVersion : 6.0.0.0
Copyright : Copyright Lavasoft Sweden
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Professional
Created on : 3/4/2004 10:51:28 PM
Last accessed : 5/25/2004 5:04:33 PM
Last modified : 1/27/2003 6:42:22 PM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

New.Net Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net


My-Way Speedbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MyWay


New.Net Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\New.net


New.Net Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value : New.net Startup


New.Net Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value : New.net Startup


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 5
Objects found so far: 5


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 5


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : chakas@advertising[1].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 1:35:25 AM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 1:35:25 AM



Tracking Cookie Object recognized!
Type : File
Data : chakas@atdmt[2].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 2:38:44 AM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 2:38:44 AM



Tracking Cookie Object recognized!
Type : File
Data : chakas@doubleclick[1].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 2:38:08 AM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 2:38:08 AM



Tracking Cookie Object recognized!
Type : File
Data : chakas@servedby.advertising[1].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 1:35:25 AM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 1:35:25 AM



Tracking Cookie Object recognized!
Type : File
Data : chakas@trafficmp[2].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 2:07:26 AM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 2:07:27 AM



Tracking Cookie Object recognized!
Type : File
Data : chakas@webpdp.gator[1].txt
Object : C:\Documents and Settings\cHakAs\Cookies\

Created on : 5/23/2004 7:28:45 PM
Last accessed : 5/25/2004 5:21:13 PM
Last modified : 5/23/2004 7:28:45 PM



Gator Object recognized!
Type : Folder
Object : C:\Documents and Settings\cHakAs\Local Settings\Temp\fsg_tmp



My-Way Speedbar Object recognized!
Type : Folder
Object : C:\Program Files\MyWay



New.Net Object recognized!
Type : Folder
Object : C:\Program Files\NewDotNet



Gator Object recognized!
Type : File
Data : a0058360.exe
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 1816 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : Gator Client Application
InternalName : GMT.exe
OriginalFilename : GMT.exe
ProductName : GAIN
Created on : 4/10/2003 10:59:08 PM
Last accessed : 5/25/2004 6:13:25 PM
Last modified : 4/10/2003 10:59:08 PM



Gator Object recognized!
Type : File
Data : a0058361.exe
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 232 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : Gator Client Application
InternalName : Gator.exe
OriginalFilename : Gator.exe
ProductName : GAIN
Created on : 4/10/2003 10:54:31 PM
Last accessed : 5/25/2004 6:13:26 PM
Last modified : 4/10/2003 10:54:31 PM



Gator Object recognized!
Type : File
Data : a0058362.exe
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 288 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : GAIN Uninstaller applet
InternalName : GUninstaller.exe
OriginalFilename : GUninstaller.exe
ProductName : GAIN
Created on : 4/10/2003 11:04:21 PM
Last accessed : 5/25/2004 6:13:26 PM
Last modified : 4/10/2003 11:04:21 PM



Gator Object recognized!
Type : File
Data : a0058363.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 716 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : egIEClient Dynamic Link Library
InternalName : egIEClient.dll
OriginalFilename : egIEClient.dll
ProductName : GAIN
Created on : 4/10/2003 10:55:21 PM
Last accessed : 5/25/2004 6:13:27 PM
Last modified : 4/10/2003 10:55:21 PM



Gator Object recognized!
Type : File
Data : a0058364.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 116 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : EGIEProcess Dynamic Link Library
InternalName : EGIEProcess dll
OriginalFilename : EGIEProcess dll
ProductName : GAIN
Created on : 4/10/2003 10:55:35 PM
Last accessed : 5/25/2004 6:13:27 PM
Last modified : 4/10/2003 10:55:35 PM



Gator Object recognized!
Type : File
Data : a0058365.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 448 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : EGNSEngine Dynamic Link Library
InternalName : EGNSEngine dll
OriginalFilename : EGNSEngine dll
ProductName : GAIN
Created on : 4/10/2003 10:55:06 PM
Last accessed : 5/25/2004 6:13:28 PM
Last modified : 4/10/2003 10:55:06 PM



Gator Object recognized!
Type : File
Data : a0058366.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 412 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : EGGCEngine Dynamic Link Library
InternalName : EGGCEngine dll
OriginalFilename : EGGCEngine dll
ProductName : GAIN
Created on : 4/10/2003 10:54:51 PM
Last accessed : 5/25/2004 6:13:28 PM
Last modified : 4/10/2003 10:54:51 PM



Gator Object recognized!
Type : File
Data : a0058367.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 348 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2003 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : GatorRes Dynamic Link Library
InternalName : GatorRes DLL
OriginalFilename : GatorRes DLL
ProductName : GAIN
Created on : 4/10/2003 10:54:10 PM
Last accessed : 5/25/2004 6:13:28 PM
Last modified : 4/10/2003 10:54:10 PM



Gator Object recognized!
Type : File
Data : a0058369.exe
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 84 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : CMESys.exe
OriginalFilename : CMESys.exe
ProductName : Gator
Created on : 4/10/2003 11:03:18 PM
Last accessed : 5/25/2004 6:13:30 PM
Last modified : 4/10/2003 11:03:18 PM



Gator Object recognized!
Type : File
Data : a0058370.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 88 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : CMEIIAPI.DLL
OriginalFilename : CMEIIAPI.DLL
ProductName : Gator
Created on : 4/10/2003 11:01:53 PM
Last accessed : 5/25/2004 6:13:30 PM
Last modified : 4/10/2003 11:01:53 PM



Gator Object recognized!
Type : File
Data : a0058371.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 284 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GAppMgr.dll
OriginalFilename : GAppMgr.dll
ProductName : Gator
Created on : 4/10/2003 11:02:51 PM
Last accessed : 5/25/2004 6:13:30 PM
Last modified : 4/10/2003 11:02:51 PM



Gator Object recognized!
Type : File
Data : a0058372.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 132 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GController.dll
OriginalFilename : GController.dll
ProductName : Gator
Created on : 4/10/2003 11:03:02 PM
Last accessed : 5/25/2004 6:13:30 PM
Last modified : 4/10/2003 11:03:02 PM



Gator Object recognized!
Type : File
Data : a0058373.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 244 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GDlwdEng.dll
OriginalFilename : GDlwdEng.dll
ProductName : Gator
Created on : 4/10/2003 11:03:14 PM
Last accessed : 5/25/2004 6:13:31 PM
Last modified : 4/10/2003 11:03:14 PM



Gator Object recognized!
Type : File
Data : a0058374.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 108 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GIocl.dll
OriginalFilename : GIocl.dll
ProductName : Gator
Created on : 4/10/2003 11:02:05 PM
Last accessed : 5/25/2004 6:13:31 PM
Last modified : 4/10/2003 11:02:05 PM



Gator Object recognized!
Type : File
Data : a0058375.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 88 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GIoclClient.dll
OriginalFilename : GIoclClient.dll
ProductName : Gator
Created on : 4/10/2003 11:01:43 PM
Last accessed : 5/25/2004 6:13:31 PM
Last modified : 4/10/2003 11:01:43 PM



Gator Object recognized!
Type : File
Data : a0058376.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 168 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GMTProxy.dll
OriginalFilename : GMTProxy.dll
ProductName : Gator
Created on : 4/10/2003 11:03:22 PM
Last accessed : 5/25/2004 6:13:32 PM
Last modified : 4/10/2003 11:03:22 PM



Gator Object recognized!
Type : File
Data : a0058377.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 212 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GObjs.dll
OriginalFilename : GObjs.dll
ProductName : Gator
Created on : 4/10/2003 11:02:26 PM
Last accessed : 5/25/2004 6:13:32 PM
Last modified : 4/10/2003 11:02:26 PM



Gator Object recognized!
Type : File
Data : a0058378.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 108 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GStore.dll
OriginalFilename : GStore.dll
ProductName : Gator
Created on : 4/10/2003 11:02:36 PM
Last accessed : 5/25/2004 6:13:32 PM
Last modified : 4/10/2003 11:02:36 PM



Gator Object recognized!
Type : File
Data : a0058379.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 100 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GStoreServer.dll
OriginalFilename : GStoreServer.dll
ProductName : Gator
Created on : 4/10/2003 11:03:31 PM
Last accessed : 5/25/2004 6:13:33 PM
Last modified : 4/10/2003 11:03:31 PM



Gator Object recognized!
Type : File
Data : a0058380.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP65\
FileSize : 416 KB
FileVersion : 4.1.2.6
ProductVersion : 4.1.2.6
Copyright : Copyright 1999-2002 The Gator Corporation
CompanyName : The Gator Corporation
FileDescription : CME II Client Application
InternalName : GTools.dll
OriginalFilename : GTools.dll
ProductName : Gator
Created on : 4/10/2003 11:01:31 PM
Last accessed : 5/25/2004 6:13:33 PM
Last modified : 4/10/2003 11:01:31 PM



My-Way Speedbar Object recognized!
Type : File
Data : a0060183.dll
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP67\
FileSize : 32 KB
FileVersion : 1, 0, 1, 1
ProductVersion : 1, 0, 1, 1
Copyright : Copyright 2000, 2001, 2002
CompanyName : My Way
FileDescription : My Way Plugin for 32-bit Windows
InternalName : MyWayPlugin
OriginalFilename : NPMyWay.DLL
ProductName : My Way Plugin
Created on : 5/23/2004 2:51:27 AM
Last accessed : 5/25/2004 6:13:52 PM
Last modified : 5/23/2004 2:51:27 AM



Disk scan result for C:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 35

11:37:13 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :01:28:58:16
Objects scanned :123330
Objects identified :35
Objects ignored :0
New objects :35

#13 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 25 May 2004 - 02:07 PM

ohh...another question ...why does lavasoft has new.net some are green and some are yellow....on the results?????? Thanks.........MK

#14 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 25 May 2004 - 02:15 PM

Did you have AAW clean up what it found?
Posted Image

#15 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 26 May 2004 - 03:01 AM

yeah I selected all and them got rid of everything but I posted here before deleting......is that ok...or I did something wrong?????


Please let me know what can be done to prevent this from happening again........


Thanks in advance......MK....or if you know please explain the color codin thing from AAW

#16 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 26 May 2004 - 12:35 PM

I have just noticed that your AAW is almost 12 months out of date!!!!

You need to download the latest version - click the link I provided and follow my instructions.
Posted Image

#17 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 26 May 2004 - 05:41 PM

ok.....sorry......here is the new log...fro, the new AAW................



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, May 26, 2004 11:08:35 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R298 20.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives


5-26-2004 11:08:35 AM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-26-2004 7:03:43 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:45 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:46 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/3/2002 4:59:11 PM
Last accessed : 5/26/2004 6:08:31 PM
Last modified : 9/3/2002 4:59:11 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:46 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/3/2002 4:39:51 PM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 9/3/2002 4:39:51 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:47 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 9/3/2002 5:05:32 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:03:47 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 9/3/2002 5:05:32 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:50 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/3/2002 5:04:18 PM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 9/3/2002 5:04:18 PM

#:8 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 5-26-2004 7:03:50 AM
BasePriority : Normal
FileSize : 229 KB
FileVersion : 2.1.0.610
ProductVersion : 2.1.0.610
Copyright : Copyright © 2000-2003 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client Settings Manager Service
InternalName : ccSetMgr
OriginalFilename : ccSetMgr.exe
ProductName : Common Client
Created on : 2/21/2004 10:33:09 AM
Last accessed : 5/26/2004 6:06:28 PM
Last modified : 11/10/2003 9:30:12 PM

#:9 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:03:50 AM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:50 PM
Last accessed : 5/26/2004 6:06:28 PM
Last modified : 9/3/2002 4:28:50 PM

#:10 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 5-26-2004 7:03:52 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 2/27/2002 6:29:26 PM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 2/27/2002 6:29:26 PM

#:11 [scsiaccess.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:03:52 AM
BasePriority : Normal
FileSize : 177 KB
Created on : 2/4/2003 4:22:30 PM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 2/4/2003 4:22:30 PM

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:03:52 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 9/3/2002 5:05:32 PM

#:13 [wfxsvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:03:53 AM
BasePriority : Normal
FileSize : 126 KB
FileVersion : 10.00.2000.0214
ProductVersion : 10.00
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Symantec WinFax PRO NT Service
InternalName : WFXSVC
ProductName : Symantec WinFax PRO
Created on : 10/3/2003 8:53:01 AM
Last accessed : 5/26/2004 6:06:29 PM
Last modified : 2/15/2000 12:36:22 AM

#:14 [sdmcp.exe]
FilePath : C:\PROGRA~1\COMMON~1\Stardock\
ThreadCreationTime : 5-26-2004 7:03:56 AM
BasePriority : Normal
FileSize : 248 KB
FileVersion : 0, 0, 5, 8
ProductVersion : 0, 0, 5, 8
Copyright : Copyright
CompanyName : Stardock
FileDescription : MCPServer
InternalName : MCP
OriginalFilename : SDMCP.exe
ProductName : Stardock MCP Core Services (System Extensions and Hooks)
Created on : 11/14/2003 1:53:52 AM
Last accessed : 5/26/2004 5:09:16 PM
Last modified : 11/14/2003 1:53:52 AM

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-26-2004 7:04:01 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/3/2002 4:32:50 PM
Last accessed : 5/26/2004 5:48:25 PM
Last modified : 9/3/2002 4:32:50 PM

#:16 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ThreadCreationTime : 5-26-2004 7:04:04 AM
BasePriority : Normal
FileSize : 73 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.EXE
ProductName : Norton AntiVirus
Created on : 2/27/2002 6:27:58 PM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 2/27/2002 6:27:58 PM

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:04:05 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.3762
ProductVersion : 7.0.0.3762
Copyright : Copyright 1999-2002, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 4/7/2004 6:32:36 PM
Last accessed : 5/26/2004 6:07:29 PM
Last modified : 2/10/2004 5:51:30 PM

#:18 [wfxsnt40.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:04:05 AM
BasePriority : Normal
FileSize : 42 KB
FileVersion : 7.00 (Build 019)
ProductVersion : 7.00 (Build 019)
Copyright : Copyright © Symantec Corp. 1990-1997
CompanyName : Microsoft Corporation
FileDescription : Delrina Fax Port Launcher
InternalName : WFXSNT40.DLL
OriginalFilename : WFXSNT40.DLL
ProductName : Microsoft ® Windows NT™ WinFax Printer Driver
Created on : 10/3/2003 8:53:01 AM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 2/15/2000 12:36:22 AM

#:19 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 5-26-2004 7:04:05 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 6:44:46 AM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 2/23/2004 6:44:44 AM

#:20 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 5-26-2004 7:04:06 AM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 11/9/2003 8:11:44 AM
Last accessed : 5/26/2004 6:07:29 PM
Last modified : 11/9/2003 8:11:44 AM

#:21 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 5-26-2004 7:04:07 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 5/1/2004 6:54:16 AM
Last accessed : 5/26/2004 6:07:29 PM
Last modified : 1/26/2004 5:46:48 PM

#:22 [ppmemcheck.exe]
FilePath : C:\PROGRA~1\PESTPA~1\
ThreadCreationTime : 5-26-2004 7:04:08 AM
BasePriority : Normal
FileSize : 145 KB
Created on : 3/17/2004 9:47:24 AM
Last accessed : 5/26/2004 5:08:45 PM
Last modified : 10/16/2002 5:16:54 AM

#:23 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 5-26-2004 7:04:09 AM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.75.302
ProductVersion : 9.75.302
Copyright : © 1987-2002 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 3/18/2004 10:24:36 PM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 11/21/2002 5:50:00 PM

#:24 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-26-2004 7:04:10 AM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 9/3/2002 4:56:58 PM
Last accessed : 5/26/2004 6:06:59 PM
Last modified : 9/3/2002 4:56:58 PM

#:25 [cursorxp.exe]
FilePath : C:\Program Files\CursorXP\
ThreadCreationTime : 5-26-2004 7:04:11 AM
BasePriority : High
FileSize : 122 KB
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
Copyright : Copyright
FileDescription : CursorXP
InternalName : CursorXP
OriginalFilename : CursorXP.exe
ProductName : Stardock CursorXP
Created on : 10/21/2003 5:26:33 AM
Last accessed : 5/26/2004 5:31:38 PM
Last modified : 3/2/2003 12:40:20 AM

#:26 [desktop calendar.exe]
FilePath : C:\Program Files\Desktop Calendar\
ThreadCreationTime : 5-26-2004 7:04:12 AM
BasePriority : Normal
FileSize : 432 KB
FileVersion : 0.04
ProductVersion : 0.04
CompanyName : Home
InternalName : Desktop Calendar
OriginalFilename : Desktop Calendar.exe
ProductName : DC Loading
Created on : 4/11/2003 11:20:04 PM
Last accessed : 5/26/2004 5:33:09 PM
Last modified : 4/11/2003 11:20:04 PM

#:27 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 5-26-2004 7:04:16 AM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright © 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 5/23/2004 8:01:20 PM
Last accessed : 5/26/2004 5:48:25 PM
Last modified : 2/25/2004 6:48:26 PM

#:28 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-26-2004 7:04:20 AM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 2:05:35 AM
Last accessed : 5/26/2004 5:09:16 PM
Last modified : 8/30/2003 2:05:35 AM

#:29 [yahoopops.exe]
FilePath : C:\Program Files\YahooPOPs\
ThreadCreationTime : 5-26-2004 7:04:21 AM
BasePriority : Normal
FileSize : 440 KB
FileVersion : 0, 5, 0, 0
ProductVersion : 0, 5, 0, 0
Copyright : Copyright © 2002 - 2003, The YahooPOPs! Team
CompanyName : http://yahoopops.sourceforge.net
FileDescription : Free POP3/SMTP access to Yahoo! Mail
InternalName : YahooPOPs!
OriginalFilename : YahooPOPs.exe
ProductName : YahooPOPs!
Created on : 8/3/2003 11:47:58 PM
Last accessed : 5/26/2004 5:09:16 PM
Last modified : 8/3/2003 11:47:58 PM

#:30 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 5-26-2004 7:04:28 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 6:14:56 PM
Last accessed : 5/26/2004 5:09:16 PM
Last modified : 8/29/2003 6:14:56 PM

#:31 [webcolct.exe]
FilePath : C:\Program Files\Common Files\Logitech\WebColct\
ThreadCreationTime : 5-26-2004 7:07:00 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2.13.0
ProductVersion : 2.13.0
Copyright : © 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Server for Internet Browsers
InternalName : WebColct
OriginalFilename : WebColct.exe
ProductName : Productivity Software Common Files
Created on : 3/18/2004 10:22:20 PM
Last accessed : 5/26/2004 5:11:48 PM
Last modified : 12/1/2003 7:31:02 PM

#:32 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:11:25 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:48 PM
Last accessed : 5/26/2004 5:15:52 PM
Last modified : 9/3/2002 4:28:48 PM

#:33 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-26-2004 7:11:27 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:48 PM
Last accessed : 5/26/2004 5:15:52 PM
Last modified : 9/3/2002 4:28:48 PM

#:34 [dap.exe]
FilePath : C:\PROGRA~1\DAP\
ThreadCreationTime : 5-26-2004 5:46:38 PM
BasePriority : Normal
FileSize : 1412 KB
FileVersion : 5, 3, 9, 6
ProductVersion : 5, 3, 9, 6
Copyright : Copyright © 1999 - 2003 SpeedBit Ltd
CompanyName : SpeedBit Ltd.
FileDescription : Download Accelerator Plus
InternalName : DAP
OriginalFilename : DAP.EXE
ProductName : Download Accelerator Plus
Created on : 7/11/2003 12:31:01 AM
Last accessed : 5/26/2004 5:55:17 PM
Last modified : 7/11/2003 12:31:02 AM

#:35 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-26-2004 6:07:26 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/4/2004 10:51:28 PM
Last accessed : 5/26/2004 6:07:27 PM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

180Solutions Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\nCASE


2020Search Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : downloader.downloader


2020Search Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : downloader.downloader.1


2020Search Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{02CB16D1-4CA7-47FF-8546-C5E925DF33D6}


BuddyLinks Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{7D39A396-CBB8-4739-B97C-83FAA4682E00}


ClickSpring Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ClickSpring


Ebates MoneyMaker Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ebateswebsavingsdr0.xml


ePlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f57d17ae-ce37-4bc8-b232-ea57747be5e7}


Golden Palace Casino Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Golden Palace Casino PT


Golden Palace Casino Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Golden Palace Casino PT


istbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : istactivex.installer.2


Kitten Free Sex Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\SDS Software\Setup2Go\UserData\Kitten Free Sex


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E720B458-B65A-438C-9FF3-B1DF65D7DB3E}


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{E720B458-B65A-438C-9FF3-B1DF65D7DB3F}


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{AB88FC82-FCDC-4062-BCC4-887F0D73EC1D}


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : LocatorS.LocatorBar


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : LocatorS.LocatorBar.1


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : LocatorS.LocatorLinks


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : LocatorS.LocatorLinks.1


Locators.com Toolbar Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{B4F8E732-4793-4F90-B40A-829331861D54}


New.Net Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net


New.Net Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\New.net


New.Net Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : software\new.net


RelatedLinks Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : lbbho.lbbho.1


RelatedLinks Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : lbbho.lbbho


RelatedLinks Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{15084be8-9a01-4e0b-a358-93688ec7d7aa}


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP


New.Net Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value : New.net Startup


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 28
Objects found so far: 28


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{09504BC1-E8CD-4090-B8F0-CA70F459B8A5}


CoolWebSearch Object recognized!
Type : File
Data : dcn.dll
Object : c:\windows\system32\
FileSize : 36 KB
Created on : 4/29/2004 2:11:33 AM
Last accessed : 5/26/2004 5:51:39 PM
Last modified : 4/29/2004 2:11:33 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5321543C-0F67-4033-89F0-53BEF0E2A94A}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5F9AF81A-7A26-42EB-BEA5-883D6D25DC18}


CoolWebSearch Object recognized!
Type : File
Data : aapa.dll
Object : c:\windows\system32\
FileSize : 36 KB
Created on : 4/29/2004 2:13:12 AM
Last accessed : 5/26/2004 5:52:15 PM
Last modified : 4/29/2004 2:13:12 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{81B4E9F7-F3F9-40EA-8E71-D74AB51E09D6}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{D33394F3-5028-4EBD-82B6-323F8EC5DB77}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{EF5E6E6D-EEB4-4DE9-A7AC-EE8AAA0644BD}


ePlugin Object recognized!
Type : RegKey
Data : c:\windows\eplugin.ocx
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{A75163E8-2C2C-48D4-BDB6-5B59D9231BEB}


ePlugin Object recognized!
Type : File
Data : eplugin.ocx
Object : c:\windows\
FileSize : 40 KB
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
Copyright : Copyright © 2003
FileDescription : Loader ActiveX Control Module
InternalName : DialXLite
OriginalFilename : EPlugin.OCX
ProductName : Loader ActiveX Control Module
Created on : 5/6/2003 1:26:14 AM
Last accessed : 5/26/2004 5:53:16 PM
Last modified : 5/6/2003 1:26:14 AM



ePlugin Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/EPlugin.ocx


WildTangent Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : AIMWDInstallFilename


WildTangent Object recognized!
Type : File
Data : aimwdi~1.exe
Object : c:\progra~1\aim\
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright © 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer



ePlugin Object recognized!
Type : RegValue
Data : c:\windows\eplugin.ocx
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\SharedDLLs
Value : C:\WINDOWS\EPlugin.ocx


New.Net Object recognized!
Type : NSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Name Space Provider: SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004


New.Net Object recognized!
Type : File
Data : newdotnet6_22-1.dll
Object : c:\program files\newdotnet\
FileSize : 220 KB
FileVersion : 6, 0, 0, 22
ProductVersion : 6, 0, 0, 22
Copyright : Copyright 2000-2002 New.net, Inc.
CompanyName : New.net, Inc.
FileDescription : New.net Domains
InternalName : tldctl2
OriginalFilename : tldctl2.dll
ProductName : New.net Domains
Created on : 5/15/2004 6:15:20 PM
Last accessed : 5/26/2004 6:08:30 PM
Last modified : 5/15/2004 6:15:14 PM



New.Net Object recognized!
Type : NSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Name Space Provider: SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net UDP Chain


New.Net Object recognized!
Type : File
Data : newdotnet6_22-1.dll
Object : c:\program files\newdotnet\
FileSize : 220 KB
FileVersion : 6, 0, 0, 22
ProductVersion : 6, 0, 0, 22
Copyright : Copyright 2000-2002 New.net, Inc.
CompanyName : New.net, Inc.
FileDescription : New.net Domains
InternalName : tldctl2
OriginalFilename : tldctl2.dll
ProductName : New.net Domains
Created on : 5/15/2004 6:15:20 PM
Last accessed : 5/26/2004 6:08:30 PM
Last modified : 5/15/2004 6:15:14 PM



New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net UDP Chain


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net TCP Chain


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net TCP Chain


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net TCP Filter


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net TCP Filter


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net UDP Filter


New.Net Object recognized!
Type : LSP
Data : c:\program files\newdotnet\newdotnet6_22-1.dll
Layered Service Provider: New.net UDP Filter


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 20
Objects found so far: 54


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

VX2.BetterInternet Object recognized!
Type : File
Data : bik.exe
Object : C:\WINDOWS\System32\
FileSize : 132 KB
Created on : 4/7/2004 6:43:53 PM
Last accessed : 5/26/2004 6:10:46 PM
Last modified : 4/7/2004 6:43:53 PM



Claria Object recognized!
Type : File
Data : fsg_4104.exe
Object : C:\WINDOWS\System32\
FileSize : 252 KB
FileVersion : 4.1.0.4
ProductVersion : 4.1.0.4
OriginalFilename : Trickler.exe
Created on : 2/25/2004 6:34:44 AM
Last accessed : 5/26/2004 6:10:57 PM
Last modified : 2/25/2004 6:34:44 AM



WinFavorites Object recognized!
Type : File
Data : mvhohqvw.exe
Object : C:\WINDOWS\System32\
FileSize : 36 KB
Created on : 3/31/2004 12:10:57 AM
Last accessed : 5/26/2004 6:11:25 PM
Last modified : 3/31/2004 12:10:57 AM



Possible Browser Hijack attempt Object recognized!
Type : File
Data : free aol & unlimited internet.url
Object : C:\Documents and Settings\Kerk\Favorites\Links\

Created on : 5/20/2004 8:46:57 PM
Last accessed : 5/26/2004 6:11:53 PM
Last modified : 5/20/2004 8:46:57 PM




Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Golden Palace Casino Object recognized!
Type : File
Data : pk.ico
Object : c:\windows\
FileSize : 3 KB
Created on : 2/17/2004 11:19:18 PM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 2/17/2004 11:49:37 PM



Kitten Free Sex Dialer Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\SDS Software


Kitten Free Sex Dialer Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Window Title


Locators.com Toolbar Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : {E720B458-B65A-AAAA-AAAA-AAAAAAAAAAAA}


Locators.com Toolbar Object recognized!
Type : File
Data : lctkeys.txt
Object : c:\windows\

Created on : 2/26/2004 7:52:50 AM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 2/26/2004 8:07:08 AM



New.Net Object recognized!
Type : Folder
Object : c:\program files\NewDotNet


New.Net Object recognized!
Type : File
Data : newdotnet6_22-1.dll
Object : c:\program files\newdotnet\
FileSize : 220 KB
FileVersion : 6, 0, 0, 22
ProductVersion : 6, 0, 0, 22
Copyright : Copyright 2000-2002 New.net, Inc.
CompanyName : New.net, Inc.
FileDescription : New.net Domains
InternalName : tldctl2
OriginalFilename : tldctl2.dll
ProductName : New.net Domains
Created on : 5/15/2004 6:15:20 PM
Last accessed : 5/26/2004 6:08:30 PM
Last modified : 5/15/2004 6:15:14 PM



New.Net Object recognized!
Type : File
Data : readme.html
Object : c:\program files\newdotnet\
FileSize : 6 KB
Created on : 4/2/2004 8:19:20 PM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 5/15/2004 6:15:20 PM



New.Net Object recognized!
Type : File
Data : uninstall6_22-1.exe
Object : c:\program files\newdotnet\
FileSize : 48 KB
Created on : 5/15/2004 6:15:20 PM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 5/15/2004 6:15:20 PM



New.Net Object recognized!
Type : File
Data : uninstall6_22.exe
Object : c:\program files\newdotnet\
FileSize : 48 KB
Created on : 4/2/2004 8:19:20 PM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 4/2/2004 8:19:20 PM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\SerG


WildTangent Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Control Panel\MMCPL


VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Object : c:\windows\
FileSize : 252 KB
Created on : 3/16/2004 1:12:30 AM
Last accessed : 5/26/2004 6:11:54 PM
Last modified : 4/17/2004 1:01:38 AM



VX2.BetterInternet Object recognized!
Type : File
Data : payload.inf
Object : c:\windows\inf\
FileSize : 1 KB
Created on : 9/8/2003 5:20:38 PM
Last accessed : 5/26/2004 6:11:55 PM
Last modified : 9/8/2003 5:20:38 PM



WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : atl.registrar


WinFavorites Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{44ec053a-400f-11d0-9dcd-00a0c90391d3}


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 16
Objects found so far: 74


11:13:51 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:05:15:563
Objects scanned :64647
Objects identified :74
Objects ignored :0
New objects :74

#18 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 27 May 2004 - 01:04 AM

It's still out of date - click check for updates. Then have it remove all it finds. I don't need to see another AAW log - just post a new HJT log.
Posted Image

#19 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 29 May 2004 - 12:52 AM

OK ....AAW is now properly up to date...here is HJT's log.......its still there huh?????


Logfile of HijackThis v1.97.7
Scan saved at 10:51:23 PM, on 5/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Desktop Calendar\Desktop Calendar.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\YahooPOPs\YahooPOPs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\WebColct\WebColct.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicken.com/myfinances
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\pepfb.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.quicken.com/myfinances
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\pepfb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.quicken.com/myfinances/
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: WebBlinds - {4F92B827-1E56-4E30-A978-A17A7861A606} - C:\PROGRA~1\OBJECT~1\WEBBLI~1\webblinds.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: YahooPOPs.lnk = ?
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {26AF16A3-32E4-4D60-A764-C5B6F249D091} (AxgviewerCtrl Class) - http://marketrac.nys...D/Axgviewer.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8112.6336342593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab

#20 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 29 May 2004 - 03:01 AM

It looked like you got rid of it before but you appear to be reinfected. Dllfix has been updated. Could you re-download from here. It is a self-extracting archive; double click on it. Open the DLLFIX folder and double click on Start.bat.

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter. Let the program run. When finished, press 'E' to exit. Open the DLLFix folder. Post the contents of Output.txt in this thread.
Posted Image

#21 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:05 AM

you might try ticking and fixing the infected r1 and ro's. There is no 02 entry for the dll which is weird



#22 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 29 May 2004 - 08:05 AM

you might try ticking and fixing the infected r1 and ro's. There is no 02 entry for the dll which is weird



#23 ecoexplorer

ecoexplorer

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 30 May 2004 - 01:54 AM

shadowwar....would it be possible that you help me on this??????


Daemin ...here is the log you requested....please help.....thanks



--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Sat 05/29/2004
04:34 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (4C24:42B3) - FS:NTFS clusters:4k
Total: 29 981 143 040 [28G] - Free: 7 186 497 536 [6.7G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;



Locked or 'Suspect' file(s) found...


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"Appinit_Dlls"=""

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CF0B8EE-6596-11D5-A98E-0003470BB48E}]
@="CCHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}]
@="SpywareGuard Download Protection"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4F92B827-1E56-4E30-A978-A17A7861A606}]
@="WebBlinds"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/xml]
"CLSID"="{807553E5-5146-11D5-A672-00B0D022E945}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




#24 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 30 May 2004 - 05:11 AM

Did you try what shadowwar suggested? Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\pepfb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://c:\windows\system32\aapa.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://c:\windows\system32\pepfb.dll/sp.html (obfuscated)

Fix these also:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present


Reboot when done, rescan with HJT and post a new log here.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button