Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help appreciated


  • Please log in to reply
7 replies to this topic

#1 Draper

Draper

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 18 May 2005 - 12:42 PM

Hi there

having spent the last 8 hours trying to shift this hijack could anyone please help, having read and actioned to the book the self help page several times i am pulling my hair out (please let me meet and identify the person resposible).

the original HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:44:58, on 18/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA135.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart 8 1
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



If i use the HJT to fix in normal mode the R1, R0 & 02's dont get deleted and are still there when i rescan, if i do it in safe mode then they go, but as soon as i restart windows and open IE it goes stright for startsearches.com, its so frustrating because it wont let me open any page that takes a while to come up including my online email or windows updater, i have tried to identify whats reinstalling them and have removed most of the 04's (strange how the computer still works fine?)

Any help greatly appreciated


Here is the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 18:33:50, on 18/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\startsearches virus 18.5.05\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp9E5A.tmp
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:03 AM

Posted 18 May 2005 - 10:34 PM

Hello Draper and welcome to the BC forums. After reviewing your log I see that you are running msconfig in /auto mode which means that you may have selectively removed some items in the past from the startup procedure. This can hide malware from us when we are performing a fix, so we would like you to reenable those startup entries by doing the following:

Please click on Start, then Run, and type msconfig and then press Enter. When the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. If it asks to reboot, do not reboot even if that means leaving the computer on till I get back to you.

Now please create a new Hijackthis Log and post it here as a reply. I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Draper

Draper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 19 May 2005 - 02:55 AM

thanks for the quick reply,
I've had another dable this morning and found process "intmon.exe" is always running,
just deleted this and "intmon.exe-1AB889B2.pf" in safe mode along with the 7xR1, R0 & 02
after restarting the computer intmon is back in windows/sytem32
along with all the R1,s R0 & 02


heres the hjt log this morning,
Im sorry to say i already shut down the computer last night before i got your reply this morning:

thanks in advance
David
Logfile of HijackThis v1.99.1
Scan saved at 07:40:33, on 19/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\startsearches virus 18.5.05\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hp9225.tmp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:03 AM

Posted 19 May 2005 - 10:59 AM

Logfile of HijackThis v1.99.1
Scan saved at 10:44:58, on 18/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\fpapli.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\Tprbtn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA135.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [scroller] fpapli.exe
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart 8 1
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


=====fix
Hi Draper. Ok, please print these directions and then proceed with the following steps in order.

Step #1

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as smitfix.reg :

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]


Close Notepad.

Step #2

Remove installed programs using Add or Remove Programs in the Control Panel:
  • Click Start.
  • Click Control Panel.
  • Double-click Add or Remove Programs.
  • Look in the Currently installed programs box for each program listed below and if it is there:
  • Click on it to select it.
  • Click Change (or Change/Remove) button.
  • If you are prompted to confirm the removal of the program, click Yes.
Security IGuard
Virtual Maid
Search Maid

Download Hoster.zip and unzip it to your desktop. Do not run it yet.

Download DelDomains.zip and unzip it to your desktop. We will use this later on.

Step #3

Download Pocket Killbox and unzip it to your desktop.

Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
    • C:\wp.exe
      C:\wp.bmp
      C:\bsw.exe
      C:\Windows\sites.ini
      C:\Windows\popuper.exe
      C:\Windows\System32\wldr.dll
      C:\Windows\System32\helper.exe
      C:\Windows\System32\intmon.exe
      C:\Windows\System32\shnlog.exe
      C:\Windows\System32\intmonp.exe
      C:\Windows\System32\msmsgs.exe
      C:\Windows\system32\msole32.exe
      C:\Windows\System32\ole32vbs.exe
  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
You system will reboot now. Reboot into Safe Mode by:

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\Search Maid\ <--folder
C:\Program Files\Virtual Maid\ <--folder
C:\Windows\System32\Log Files\ <--folder
C:\Program Files\Security IGuard\ <--folder

Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpA135.tmp
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [Hotkey] C:\WINDOWS\System32\hkeyman.exev
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {937B6EBF-97C0-44F0-97FA-13CAACB0D689} - (no file) (HKCU)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Start Hoster and click on the Restore Original Hosts button. Now, close Hoster.

Step #7

Locate the deldomains.inf file on your desktop. Right-click on it and choose Install from the popup menu.

Step #8

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #9

Locate smitfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Step #10

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #11

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Draper

Draper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 20 May 2005 - 02:02 PM

Thank you very much OT that seems to work,
IE no longer tries to relocate to startsearches.org/com? and i can change my home address again (it set it to blank and would not let me change it)


comments:

step 2 - none of these programs were present, securityiguard was deleted in my earlier attempts.

step3 - you listed 13 items for killbox to remove and said ensure they are all in the drop down box, it only seems to copy from clipboard ones present?
I checked the misssing ones manually and are not on the computer.

step5 - HJT could only locate the 1st nine items, the 2x04 & 4x09 were not listed?


Here is the:
BitDefender Online Scanner
Scan report generated at: Fri, May 20, 2005 - 11:05:26
Scan path: C:\;D:\;

Statistics Time00:23:59
Files 129241
Folders 3565
Boot Sectors 2
Archives 610
Packed Files 21668

Results
Identified Viruses
6
Infected Files
7
Suspect Files
1
Warnings
0
Disinfected
0
Deleted Files
8

Engines Info
Virus Definitions
165253
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1

Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;pp

t;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;ch

m;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Exclude Extensions

Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes


Scanned File
Status
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045413.exe
Detected with: Adware.POP.dl
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045413.exe
Disinfection failed
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045413.exe
Deleted
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045418.exe
Infected with: Trojan.Downloader.Apropo.T
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045418.exe
Disinfection failed
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045418.exe
Deleted
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045419.exe
Infected with: Trojan.Downloader.Apropo.T
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045419.exe
Disinfection failed
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP328\A0045419.exe
Deleted
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP329\A0045844.exe
Infected with: BehavesLike:Win32.ExplorerHijack
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP329\A0045844.exe
Disinfection failed
C:\System Volume

Information\_restore{3BB6373A-6C12-4B2A-92B8-46C669336D22}\RP329\A0045844.exe
Deleted
C:\util\drivers\hotkey\uninst.vbs
Suspected of: Type_VBS_Autorun
C:\util\drivers\hotkey\uninst.vbs
Disinfection failed
C:\util\drivers\hotkey\uninst.vbs
Deleted
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Infected with: Trojan.Downloader.IstBar.FA
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Disinfection failed
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Deleted
C:\WINDOWS\gx9fzj83m9.exe
Infected with: Trojan.Dropper.Agent.GD
C:\WINDOWS\gx9fzj83m9.exe
Deleted
C:\WINDOWS\system32\on5x1d903nem18.dll
Infected with: Trojan.Downloader.Small.AMG
C:\WINDOWS\system32\on5x1d903nem18.dll
Disinfection failed
C:\WINDOWS\system32\on5x1d903nem18.dll
Deleted

Restore seems to be infected, is there anyway to remove?



Here is the eTrust virus scan which doesn’t seem to offer any fix/delete options? Scan Results: 47778 files scanned. 21 viruses were detected.

File Infection Status Path
wldr.dll Win32.Angourd.H infected C:\!Submit\
backup-20050518-162154-809.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-162917-836.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-162936-809.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-164417-614.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-164832-978.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-171617-974.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-171738-903.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-173132-368.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-175134-178.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-175306-950.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-175320-790.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-175432-447.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-175740-347.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-180824-895.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050518-184132-309.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050519-073715-424.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050519-085624-787.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050519-085713-469.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
backup-20050520-101407-355.dll Win32.Startpage.QJ infected C:\Documents and

Settings\Administrator\Desktop\startsearches virus 18.5.05\backups\
hhk.dll Win32.Startpage.QJ infected C:\WINDOWS\system32\

I have deleted the folder “Settings\Administrator\Desktop\startsearches virus 18.5.05\backups” which I assume HJT created?



I run Trend house call quite often
it didnt find anything on Wednesday when
I first realised there was a problem and still didn’t today?



After restarting the computer

Here is the:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:33, on 20/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Administrator\Desktop\startsearches virus 18.5.05\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Administrator/Desktop/startsearches%20virus%2018.5.05/Bleeping%20Computer%20Computer%20Help%20-%20help%20appreciated.htm
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:03 AM

Posted 20 May 2005 - 04:15 PM

Hi Draper. The original infections are gone but you have picked up a LOP infection. Let's clean that up.

AdAware SE

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Your operating system is extremely out of date. By not keeping your OS updated you leave yourself open to many of the infections that cannot be installed on a properly updated system. I strongly recommend that you go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known holes which your present system has open.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Draper

Draper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 21 May 2005 - 03:22 AM

Thanks again OT
Donation on way

Is that Gandalf in your ID?
He's my fav character from LOTR,
hes currently playing a rather sad author in the UK's most popular soap, although he plays the part very well its quite sad to see him in a soap.

I already spent yesterday afternoon & this morning updating windows.

heres the ad-awarew log - 86 refrences:

Ad-Aware SE Build 1.05
Logfile Created on:21 May 2005 08:03:36
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):6 total references
Coulomb Dialer(TAC index:5):1 total references
DyFuCA(TAC index:3):18 total references
istbar(TAC index:7):23 total references
Possible Browser Hijack attempt(TAC index:3):6 total references
SearchFast(TAC index:5):11 total references
SearchMaid(TAC index:7):2 total references
Security iGuard(TAC index:9):1 total references
Tracking Cookie(TAC index:3):7 total references
YourSiteBar(TAC index:6):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R8 13.09.2004
Internal build : 12
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 344723 Bytes
Total size : 1092481 Bytes
Signature data size : 1068971 Bytes
Reference data size : 22998 Bytes
Signatures total : 30122
Fingerprints total : 154
Fingerprints size : 7129 Bytes
Target categories : 15
Target families : 560

21-05-2005 07:56:05 Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints total : 883
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674


21-05-2005 07:56:21 Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:65 %
Total physical memory:523248 kb
Available physical memory:336972 kb
Total page file size:1278112 kb
Available on page file:1133580 kb
Total virtual memory:2097024 kb
Available virtual memory:2045636 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Don't log streams smaller than 0 Bytes
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


21-05-2005 08:03:36 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 568
ThreadCreationTime : 21-05-2005 06:44:42
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 21-05-2005 06:44:47
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 664
ThreadCreationTime : 21-05-2005 06:44:50
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 708
ThreadCreationTime : 21-05-2005 06:44:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 21-05-2005 06:44:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 872
ThreadCreationTime : 21-05-2005 06:44:55
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 944
ThreadCreationTime : 21-05-2005 06:44:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 980
ThreadCreationTime : 21-05-2005 06:44:56
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1036
ThreadCreationTime : 21-05-2005 06:44:57
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1132
ThreadCreationTime : 21-05-2005 06:44:57
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1344
ThreadCreationTime : 21-05-2005 06:45:00
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1536
ThreadCreationTime : 21-05-2005 06:45:02
BasePriority : Normal


#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 556
ThreadCreationTime : 21-05-2005 06:45:23
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:14 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1232
ThreadCreationTime : 21-05-2005 06:45:32
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [wdfmgr.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1248
ThreadCreationTime : 21-05-2005 06:45:33
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:16 [wltrysvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1420
ThreadCreationTime : 21-05-2005 06:45:33
BasePriority : Normal


#:17 [bcmwltry.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1440
ThreadCreationTime : 21-05-2005 06:45:34
BasePriority : Normal
FileVersion : 3.60.7.0
ProductVersion : 3.60.7.0
ProductName : BCM 802.11g Network Adapter Wireless Network Tray Applet
CompanyName : Broadcom Corporation
FileDescription : BCM 802.11g Network Adapter Wireless Network Tray Applet
InternalName : bcmwltry.exe
LegalCopyright : 1998-2003, Broadcom Corporation All Rights Reserved.
OriginalFilename : bcmwltry.exe

#:18 [wcescomm.exe]
FilePath : C:\Program Files\Microsoft ActiveSync\
ProcessID : 1636
ThreadCreationTime : 21-05-2005 06:45:35
BasePriority : Normal
FileVersion : 3.7.0.3083
ProductVersion : 3.7.3083
ProductName : Microsoft ActiveSync
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
LegalCopyright : Copyright © 1995-2003 Microsoft Corp. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation.
OriginalFilename : WCESCOMM.EXE

#:19 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 768
ThreadCreationTime : 21-05-2005 06:45:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:20 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1716
ThreadCreationTime : 21-05-2005 06:45:54
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 276
ThreadCreationTime : 21-05-2005 06:46:15
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 552
ThreadCreationTime : 21-05-2005 06:46:17
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:23 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 2924
ThreadCreationTime : 21-05-2005 06:56:01
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b599c57e-113a-4488-a5e9-bc552c4f1152}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1d27210e-2da2-41e2-a103-b5fd9d6a798b}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{145e6fb1-1256-44ed-a336-8bba43373be6}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{145e6fb1-1256-44ed-a336-8bba43373be6}
Value : InprocServer32

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj.1

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj.1
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}
Value :

SearchFast Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{49232000-16e4-426c-a231-62846947304b}

SearchFast Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{49232000-16e4-426c-a231-62846947304b}
Value :

SearchFast Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8da729b1-b0fc-4fab-9d33-0b004e0f0592}

SearchFast Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8da729b1-b0fc-4fab-9d33-0b004e0f0592}
Value :

SearchFast Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sysinfo.sysdata

SearchFast Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sysinfo.sysdata
Value :

SearchFast Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sysinfo.sysdata.1

SearchFast Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sysinfo.sysdata.1
Value :

SearchFast Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{980bcd41-0313-4693-88be-d036753fa898}

YourSiteBar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{03b800f9-2536-4441-8cda-2a3e6d15b4f8}
Value :

YourSiteBar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{dfbcc1eb-b149-487e-80c1-cc1562021542}
Value :

YourSiteBar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4ee12b71-aa5e-45ec-8666-2db3ad3fdf44}

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : last_conn_h

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : last_conn_l

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : we

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : cdata

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : TimeOffset

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : action_url_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : action_url_last_chunk

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : action_url_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : key_file

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : kw_last_chunk

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : cbc

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : keyword_updating_ver

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : keyword_last_chunk

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : geourl_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : geourl_current_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : actionurl_last_full_version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\sais
Value : actionurl_current_version

SearchMaid Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\virtual maidvirtual maid

Security iGuard Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\rex-services

YourSiteBar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar\historyfiles

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar\historyfiles
Value : C:\PROGRA~1\YOURSI~1\yoursitebar.xml

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar\historyfiles
Value : C:\PROGRA~1\YOURSI~1\imagemap_normal.bmp

YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar\historyfiles
Value : C:\PROGRA~1\YOURSI~1\version.txt

SearchMaid Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-359561344-4264649163-3499916212-500\software\virtual maid

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment : "gUpdate"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : gUpdate

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 50
Objects found so far: 50


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Value : DisplayName

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Value : UninstallString

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Value : Publisher

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Value : URLInfoAbout

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar "http://www.ysbweb.com"
Category : Malware
Comment : (http://www.ysbweb.com)
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar
Value : HelpLink

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 56


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@realmedia[2].txt
Category : Data Miner
Comment : Hits:46
Value : Cookie:david@realmedia.com/
Expires : 01-01-2021 01:00:00
LastSync : Hits:46
UseCount : 0
Hits : 46

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@tribalfusion[2].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:david@tribalfusion.com/
Expires : 01-01-2038 01:00:00
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@bs.serving-sys[2].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:david@bs.serving-sys.com/
Expires : 01-01-2038 06:00:00
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@serving-sys[2].txt
Category : Data Miner
Comment : Hits:60
Value : Cookie:david@serving-sys.com/
Expires : 01-01-2038 06:00:00
LastSync : Hits:60
UseCount : 0
Hits : 60

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@apmebf[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:david@apmebf.com/
Expires : 19-05-2010 10:42:50
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@qksrv[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:david@qksrv.net/
Expires : 19-05-2010 10:42:52
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : david@bluestreak[1].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:david@bluestreak.com/
Expires : 19-05-2015 03:38:40
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 63



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Coulomb Dialer Object Recognized!
Type : File
Data : Groove.x32
Category : Dialer
Comment :
Object : C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras\download\TheGrooveAlliance\3DGrooveXtrav181\
FileVersion : 1, 8, 1, 0
ProductVersion : 1, 8, 1, 0
ProductName : GROOVE
FileDescription : GROOVE
InternalName : GROOVE
LegalCopyright : Copyright 2001
OriginalFilename : GROOVE.x32


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 64


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 64




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : installTitle

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : barTitle

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : serverpath

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : urlAfterInstall

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : TBRowMode

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : yoursitebar.xml

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : imagemap_normal.bmp

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : showcorrupted

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : updatever

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : refreshscope

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : allowupdate

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : LastCheckTime

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : version.txt

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\yoursitebar
Value : UpdateBegin

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

SearchFast Object Recognized!
Type : File
Data : SysInfo.dll
Category : Malware
Comment :
Object : C:\WINDOWS\downloaded program files\
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : SysInfo Module
CompanyName : Rapidigm Inc
FileDescription : SysInfo Module
InternalName : SysInfo
LegalCopyright : Copyright 2003
OriginalFilename : SysInfo.DLL


SearchFast Object Recognized!
Type : File
Data : SysInfo.inf
Category : Malware
Comment :
Object : C:\WINDOWS\downloaded program files\



YourSiteBar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar
Value : Locked

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 21
Objects found so far: 85

08:17:17 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:13:40.560
Objects scanned:122480
Objects identified:86
Objects ignored:0
New critical objects:86


Just ran bitfinder online virus scan again and nothing found

Heres the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 09:18:35, on 21/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\startsearches virus 18.5.05\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email01.wanadoo.co.uk/webmail/inbox...FromSubmit=true
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Panasonic HotKey Manager (HKEYMAN) - Panasonic - C:\Program Files\Panasonic\HotKey Manager\HKEYMAN.EXE
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:03 AM

Posted 21 May 2005 - 03:03 PM

Hi Draper. Your log is clean. Good job! How are things running? Any problems?

I currently see no anti-virus application installed on this computer. An anit-virus program is your first line of defense against becoming infected and I highly encourage you to install one. See the information below regarding free ones that are available for personal use.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users