Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - donovanbond


  • This topic is locked This topic is locked
10 replies to this topic

#1 donovanbond

donovanbond

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 19 October 2004 - 11:50 AM

HELP ME PLEASE - I think I have a virus which is preventing me from using IE. I am a home user running Windows XP SP 2. I tried using 'Spyboot Search & Destroy' but this has not resolved the problem. Basically when I start up IE I am sucessful in getting to my home page (google), and then able to perform 1 search. No matter what link i subsequently click on I get the 'Cannot find server - page cannot be displayed IE error message. If I use the 'back' button I get the same message.

I have followed your instructions for running HJT and attach the log from my laptop:

Logfile of HijackThis v1.98.2
Scan saved at 18:52:33, on 17/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\system32\regservices.exe
C:\WINDOWS\system32\Systesms.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsvc.exe
C:\windows\temp\Wpqp4.exe
C:\WINDOWS\system32\ms32cfg.exe
C:\windows\temp\6XW.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\atl39290.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\private.exe
C:\WINDOWS\system32\ms32cfg.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINDOWS\System32\RsoF.exe
C:\WINDOWS\System32\RsoF.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Documents and Settings\Andy\My Documents\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32/left.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Andy\Local Settings\Temp\kv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\system32\stlb2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [regservices.exe] regservices.exe
O4 - HKLM\..\Run: [Systesms.exe] Systesms.exe
O4 - HKLM\..\Run: [Task manager] TikTo.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ituxsjpb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Wpqp4] C:\windows\temp\Wpqp4.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [6XW] C:\windows\temp\6XW.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5MKXQCH56MK5B#] C:\WINDOWS\System32\Yfk8.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [334fb511f5c6] C:\WINDOWS\System32\atl39290.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\private.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\RunServices: [regservices.exe] regservices.exe
O4 - HKLM\..\RunServices: [Systesms.exe] Systesms.exe
O4 - HKLM\..\RunServices: [Task manager] TikTo.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [regservices.exe] regservices.exe
O4 - HKCU\..\Run: [Systesms.exe] Systesms.exe
O4 - HKCU\..\Run: [Task manager] TikTo.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25087fbb4a052a...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096232922593
O17 - HKLM\System\CCS\Services\Tcpip\..\{281F15C2-645E-4009-8BB2-7D7D2EE8B170}: NameServer = 194.72.9.39 194.74.65.87
O17 - HKLM\System\CS1\Services\Tcpip\..\{281F15C2-645E-4009-8BB2-7D7D2EE8B170}: NameServer = 194.72.9.39 194.74.65.87

I would appreciate any help asap please

Many thanks - donovan

BC AdBot (Login to Remove)

 


m

#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 19 October 2004 - 01:56 PM

Looking over your log now donovanbond. Be back with you soon.
Derfram
~~~~~~

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 19 October 2004 - 09:20 PM

Hello donovanbond, and welcome to BleepingComputer.

You have quite a mess there. I know you said you tried Spybot S&D, but let's use that again and also Ad-aware being sure you are using the latest versions with current updates.

Let's start with some automated anti-malware tools.

Download Ad-aware SE v1.05 from LavaSoft. Install, update and configure it as explained in this tutorial. Run Ad-aware and allow it to remove everything it finds.

Download Spybot Search & Destroy v1.3. Install, update and configure it as expained in this tutorial. Run Spybot and allow it to remove everything it finds.

Together, Ad-aware and Spybot provide a one-two punch that will remove much of the malware that is infecting your machine.

I notice you do not have any anti-virus software running. On today's internet, an up to date AV is a must. AVG by Grisoft is a well respected and free AV program. Also, I see no third party Firewall running. At least be sure that Windows XP built in firewall is active. ZoneAlarm from Zonelabs offers a good free personal firewall.

Along these lines,
Please do an online virus scan at two or more of the following sites:
TrendMicro Housecall
Panda ActiveScan
Symantec Security Check
CA eTrust AV WebScanner

Allow the online scan to remove anything it finds. Report anything that it can not remove.

Reboot and post a new HJT log.

Edited by ddeerrff, 19 October 2004 - 09:20 PM.

Derfram
~~~~~~

#4 donovanbond

donovanbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 24 October 2004 - 01:46 PM

Thanks for your reply. I have done the following:

1) Reinstalled Spybot S&D and allowed it to remove everything it found.
2) Downloaded & ran Ad-aware. It found quite alot and the tutorial said that it was not recommended to remove everything detected so I have attached a copy of the log file created:


Ad-Aware SE Build 1.05
Logfile Created on:24 October 2004 19:19:09
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R8 13.09.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
BrowserAid(TAC index:6):15 total references
CoolWebSearch(TAC index:10):4 total references
EzuLa(TAC index:6):1 total references
Lycos Sidesearch(TAC index:7):15 total references
MemoryWatcher(TAC index:4):12 total references
midADdle(TAC index:4):15 total references
MRU List(TAC index:0):19 total references
PeopleOnPage(TAC index:9):6 total references
Possible Browser Hijack attempt(TAC index:3):2 total references
Rads01.Quadrogram(TAC index:6):1 total references
StatBlaster(TAC index:8):4 total references
Tracking Cookie(TAC index:3):1 total references
Win32.Turown.h(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


24-10-2004 19:19:09 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-483193567-2668779866-2685066394-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Andy\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 548
ThreadCreationTime : 24-10-2004 17:14:48
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 616
ThreadCreationTime : 24-10-2004 17:14:49
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 640
ThreadCreationTime : 24-10-2004 17:14:49
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 692
ThreadCreationTime : 24-10-2004 17:14:49
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 704
ThreadCreationTime : 24-10-2004 17:14:49
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 848
ThreadCreationTime : 24-10-2004 17:14:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 928
ThreadCreationTime : 24-10-2004 17:14:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 964
ThreadCreationTime : 24-10-2004 17:14:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1028
ThreadCreationTime : 24-10-2004 17:14:50
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1100
ThreadCreationTime : 24-10-2004 17:14:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1348
ThreadCreationTime : 24-10-2004 17:14:51
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1364
ThreadCreationTime : 24-10-2004 17:14:51
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:13 [avgserv.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 1492
ThreadCreationTime : 24-10-2004 17:14:53
BasePriority : Normal
FileVersion : 6.0.1.696
ProductVersion : 6.0.1.696
ProductName : AVG6
CompanyName : GRISOFT s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
LegalCopyright : Copyright © GRISOFT 1998-2004
OriginalFilename : AvgServ

#:14 [slserv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1540
ThreadCreationTime : 24-10-2004 17:14:53
BasePriority : Normal
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
ProductName : Modem
FileDescription : User-Level Modem Service
InternalName : slserv
LegalCopyright : Copyright © 1999-2000
OriginalFilename : slserv.exe

#:15 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1564
ThreadCreationTime : 24-10-2004 17:14:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 1700
ThreadCreationTime : 24-10-2004 17:14:58
BasePriority : Normal
FileVersion : 5.1.033.000
ProductVersion : 5.1.033.000
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2004, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:17 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 476
ThreadCreationTime : 24-10-2004 17:15:09
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:18 [igfxtray.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1192
ThreadCreationTime : 24-10-2004 17:15:35
BasePriority : Normal
FileVersion : 3,0,0,2082
ProductVersion : 7,0,0,2082
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:19 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1176
ThreadCreationTime : 24-10-2004 17:15:35
BasePriority : Normal
FileVersion : 3,0,0,2082
ProductVersion : 7,0,0,2082
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:20 [gsicon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1244
ThreadCreationTime : 24-10-2004 17:15:35
BasePriority : Normal
FileVersion : 3.1.1
ProductVersion : 3.1.1
ProductName : BT Voyager ADSL Modem
CompanyName : BT, Inc.
FileDescription : DSL Modem Monitor
InternalName : GSICON.EXE
LegalCopyright : Copyright © 2001 GlobespanVirata, Inc.
OriginalFilename : GSICON.EXE

#:21 [dslagent.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1296
ThreadCreationTime : 24-10-2004 17:15:35
BasePriority : Normal


#:22 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1460
ThreadCreationTime : 24-10-2004 17:15:35
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:23 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1552
ThreadCreationTime : 24-10-2004 17:15:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:24 [atl39290.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1512
ThreadCreationTime : 24-10-2004 17:15:36
BasePriority : Normal


#:25 [avgcc32.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG6\
ProcessID : 1816
ThreadCreationTime : 24-10-2004 17:15:36
BasePriority : Normal
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
LegalCopyright : Copyright © 2003 GRISOFT s.r.o.
OriginalFilename : AvgCC32.EXE

#:26 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 1720
ThreadCreationTime : 24-10-2004 17:15:36
BasePriority : Normal
FileVersion : 5.1.033.000
ProductVersion : 5.1.033.000
ProductName : Zone Labs Client
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2004, Zone Labs Inc.
OriginalFilename : zlclient.exe

#:27 [mpbtn.exe]
FilePath : C:\Program Files\BT Broadband\Help\bin\
ProcessID : 1960
ThreadCreationTime : 24-10-2004 17:15:38
BasePriority : Normal


#:28 [taskmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2028
ThreadCreationTime : 24-10-2004 17:47:02
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

#:29 [avgw.exe]
FilePath : C:\Program Files\Grisoft\AVG6\
ProcessID : 2172
ThreadCreationTime : 24-10-2004 18:05:42
BasePriority : Normal
FileVersion : 6, 0, 0, 516
ProductVersion : 6, 0, 0, 0
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG 6.0 Application
InternalName : avgw
LegalCopyright : Copyright © GRISOFT, s.r.o, 1999-2003
OriginalFilename : avgw.exe

#:30 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3908
ThreadCreationTime : 24-10-2004 18:18:43
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BrowserAid Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}
Value : lsrchci

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}
Value : upt

BrowserAid Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-18\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-18\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}
Value : lsrchci

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-18\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}
Value : upt

BrowserAid Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\runwindowsupdate

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\runwindowsupdate
Value : Gid

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\runwindowsupdate
Value : Country

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\runwindowsupdate
Value : LastNI

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\runwindowsupdate
Value : uid2

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band.1

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band.1
Value :

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band
Value :

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c5183abc-eb6e-4e05-b8c9-500a16b6cf94}

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c5183abc-eb6e-4e05-b8c9-500a16b6cf94}
Value :

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search.1

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search.1
Value :

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search
Value :

Lycos Sidesearch Object Recognized!
Type : Regkey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c30793af-14b2-4300-8b5d-4bfa3987050e}

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{c30793af-14b2-4300-8b5d-4bfa3987050e}
Value :

MemoryWatcher Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\memorywatcher

MemoryWatcher Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\memorywatcher
Value : Install_Dir

MemoryWatcher Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\memorywatcher

MemoryWatcher Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\memorywatcher
Value : DisplayName

MemoryWatcher Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\memorywatcher
Value : UninstallString

midADdle Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e8eaeb34-f7b5-4c55-87ff-720faf53d841}

midADdle Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e8eaeb34-f7b5-4c55-87ff-720faf53d841}
Value :

midADdle Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e8eaeb34-f7b5-4c55-87ff-720faf53d841}
Value : AppID

midADdle Object Recognized!
Type : Regkey
Data : SearchHelp
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ecb25a48-e6e0-49af-99af-07c763e31389}

midADdle Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\searchhelp.dll

midADdle Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid\searchhelp.dll
Value : AppID

midADdle Object Recognized!
Type : Regkey
Data : SearchHelp
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ecb25a48-e6e0-49af-99af-07c763e31389}\1.0

midADdle Object Recognized!
Type : RegValue
Data : SearchHelp
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{ecb25a48-e6e0-49af-99af-07c763e31389}\1.0
Value :

midADdle Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e318d698-27b3-44d5-8998-c35eafb9c034}

midADdle Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e318d698-27b3-44d5-8998-c35eafb9c034}
Value :

midADdle Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{e8eaeb34-f7b5-4c55-87ff-720faf53d841}

midADdle Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{e8eaeb34-f7b5-4c55-87ff-720faf53d841}
Value :

PeopleOnPage Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\apropos

CoolWebSearch Object Recognized!
Type : RegData
Data : CSearchHelpIEExtension Object
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : searchhelp
Value :
Data : CSearchHelpIEExtension Object

midADdle Object Recognized!
Type : RegData
Data : SearchHelp
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : appid
Value :
Data : SearchHelp

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 44
Objects found so far: 63


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Bar.startium.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://www.startium.com/metasearch.php?dst=DIST1"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.startium.com/metasearch.php?dst=DIST1"
Possible Browser Hijack attempt : S-1-5-18\Software\Microsoft\Internet Explorer\MainSearch Bar.startium.com

Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "http://www.startium.com/metasearch.php?dst=DIST1"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : S-1-5-18\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.startium.com/metasearch.php?dst=DIST1"

Lycos Sidesearch Object Recognized!
Type : RegValue
Data :
Category : Misc
Comment : ({C5183ABC-EB6E-4E05-B8C9-500A16B6CF94})
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Toolbar
Value : {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 66


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 66



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : system@z1.adserver[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\LocalService\Cookies\system@z1.adserver[1].txt

StatBlaster Object Recognized!
Type : File
Data : EXACTADVERTISING.exe
Category : Data Miner
Comment :
Object : C:\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : FixIbis
InternalName : FixHostsFile
OriginalFilename : FixHostsFile.exe


EzuLa Object Recognized!
Type : File
Data : ezStub.exe
Category : Data Miner
Comment :
Object : C:\
FileVersion : 3, 0, 80, 0
ProductVersion : 1, 0, 0, 1
ProductName : eZstub Module
CompanyName : EARNStatBlasterWO
FileDescription : eZstub Module
InternalName : eZstub
LegalCopyright : Copyright 2000
OriginalFilename : eZstub.EXE


Win32.Turown.h Object Recognized!
Type : File
Data : Overpro323.exe
Category : Malware
Comment :
Object : C:\



MemoryWatcher Object Recognized!
Type : File
Data : MemoryWatcher.exe
Category : Malware
Comment :
Object : C:\Program Files\MemoryWatcher\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : Memory Watcher
CompanyName : Memory Watcher
FileDescription : Memory Watcher
InternalName : MemoryWatcher
LegalCopyright : Memory Watcher 2003
LegalTrademarks : Memory Watcher 2003
OriginalFilename : MemoryWatcher.exe


Lycos Sidesearch Object Recognized!
Type : File
Data : sep.dll
Category : Misc
Comment :
Object : C:\Program Files\SEP\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : SEP
FileDescription : SEP Module
InternalName : sep
LegalCopyright : Copyright 2004
OriginalFilename : sep.DLL


BrowserAid Object Recognized!
Type : File
Data : stlbdist.DLL
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\



PeopleOnPage Object Recognized!
Type : File
Data : auto_update_install.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\AutoUpdate0\



PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\AutoUpdate0\



midADdle Object Recognized!
Type : File
Data : clicks.dll
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileVersion : 1.0.0.15
ProductVersion : 1.0.0.15
InternalName : clicks.dll
LegalCopyright : All rights reserved.
OriginalFilename : clicks.dll


Rads01.Quadrogram Object Recognized!
Type : File
Data : instnotify.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : Installation Notifier
InternalName : instnotify
OriginalFilename : instnotify.exe


MemoryWatcher Object Recognized!
Type : File
Data : MemoryWatcher_b.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\



StatBlaster Object Recognized!
Type : File
Data : update_1.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\



StatBlaster Object Recognized!
Type : File
Data : WinWildApp.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\



PeopleOnPage Object Recognized!
Type : File
Data : ace.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\~apropos0\
FileVersion : 5.1.18
ProductVersion : 5.1.18
ProductName : ACE
FileDescription : ACE
InternalName : ACEDLL
OriginalFilename : ACE.DLL


PeopleOnPage Object Recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\Temp\~apropos0\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 82


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
446 entries scanned.
New critical objects:0
Objects found so far: 82




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

BrowserAid Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\updt

BrowserAid Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\updt
Value : upt

BrowserAid Object Recognized!
Type : File
Data : stlbdist.XML
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\



MemoryWatcher Object Recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\Program Files\MemoryWatcher

MemoryWatcher Object Recognized!
Type : File
Data : COMCTL32.OCX
Category : Data Miner
Comment :
Object : C:\Program Files\memorywatcher\
FileVersion : 6.00.8105
ProductVersion : 6.00.8105
ProductName : COMCTL
CompanyName : Microsoft Corporation
FileDescription : Windows Common Controls ActiveX Control DLL
InternalName : COMCTL
LegalCopyright : Copyright © 1987-1997 Microsoft Corp.
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows™ is a trademark of Microsoft Corporation
OriginalFilename : COMCTL32.OCX
Comments : October 11, 1999


MemoryWatcher Object Recognized!
Type : File
Data : EULA.URL
Category : Data Miner
Comment :
Object : C:\Program Files\memorywatcher\



MemoryWatcher Object Recognized!
Type : File
Data : TrayIcon.ocx
Category : Data Miner
Comment :
Object : C:\Program Files\memorywatcher\
FileVersion : 1.00
ProductVersion : 1.00
ProductName : vbRad
CompanyName : Robdogg Inc.
InternalName : TrayIcon
OriginalFilename : TrayIcon.ocx


MemoryWatcher Object Recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : C:\Program Files\memorywatcher\



midADdle Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Updater

PeopleOnPage Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\autoloader

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : searchhelp

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : searchhelp
Value :

CoolWebSearch Object Recognized!
Type : File
Data : SearchBar.htm
Category : Malware
Comment :
Object : C:\WINDOWS\system32\



StatBlaster Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\wildmedia

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 14
Objects found so far: 96

19:25:45 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:35.625
Objects scanned:90263
Objects identified:77
Objects ignored:0
New critical objects:77

3) Installed and have AVG A/V software now running. I allowed it to remove everything it found but it has detected a virus in the following file: windows\system32\uxzlyr32.dll, but it says in cannot be deleted - i tried deleting it using windows explorer but this didn't work.

4) I've now installed Zone Alarm firewall

5) I re-ran HJT and here's the log:

Logfile of HijackThis v1.98.2
Scan saved at 19:28:13, on 24/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\atl39290.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Andy\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Andy\Local Settings\Temp\kv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [regservices.exe] regservices.exe
O4 - HKLM\..\Run: [Systesms.exe] Systesms.exe
O4 - HKLM\..\Run: [Task manager] TikTo.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ituxsjpb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Wpqp4] C:\windows\temp\Wpqp4.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [6XW] C:\windows\temp\6XW.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5MKXQCH56MK5B#] C:\WINDOWS\System32\Ocn67i0.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [334fb511f5c6] C:\WINDOWS\System32\atl39290.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\private.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\RunServices: [regservices.exe] regservices.exe
O4 - HKLM\..\RunServices: [Systesms.exe] Systesms.exe
O4 - HKLM\..\RunServices: [Task manager] TikTo.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [regservices.exe] regservices.exe
O4 - HKCU\..\Run: [Systesms.exe] Systesms.exe
O4 - HKCU\..\Run: [Task manager] TikTo.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25087fbb4a052a...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096232922593

Is there hope???

#5 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 24 October 2004 - 03:05 PM

2) Downloaded & ran Ad-aware. It found quite alot and the tutorial said that it was not recommended to remove everything detected so I have attached a copy of the log file created:


Nothing in your Ad-aware log that needs to be saved. Go ahead and rerun Ad-aware and let it remove everything it finds. Ad-aware digs a bit deeper and will do a more thorough job of removing the 'baddies' from your system than would be done using HJT alone.

Is there hope???

Always hope.

After running Ad-aware and allowing it to remove everything it finds, please rescan with HijackThis and post a new log.
Derfram
~~~~~~

#6 donovanbond

donovanbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 26 October 2004 - 02:31 PM

Right,

I have re run adware and removed everything it found. I've now run HJT and results are as follows:

Logfile of HijackThis v1.98.2
Scan saved at 20:22:56, on 26/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\atl39290.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Andy\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [regservices.exe] regservices.exe
O4 - HKLM\..\Run: [Systesms.exe] Systesms.exe
O4 - HKLM\..\Run: [Task manager] TikTo.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ituxsjpb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Wpqp4] C:\windows\temp\Wpqp4.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [6XW] C:\windows\temp\6XW.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5MKXQCH56MK5B#] C:\WINDOWS\System32\Ocn67i0.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [334fb511f5c6] C:\WINDOWS\System32\atl39290.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\private.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\RunServices: [regservices.exe] regservices.exe
O4 - HKLM\..\RunServices: [Systesms.exe] Systesms.exe
O4 - HKLM\..\RunServices: [Task manager] TikTo.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [regservices.exe] regservices.exe
O4 - HKCU\..\Run: [Systesms.exe] Systesms.exe
O4 - HKCU\..\Run: [Task manager] TikTo.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25087fbb4a052a...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096232922593

Thanks very much

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 26 October 2004 - 11:04 PM

Better, but we still have some work to do.


You have a Peper infection

Download the removal tool to the desktop: Peper Removal Tool

YOU MUST BE ONLINE WHEN RUNNING IT and let it have access to pass the firewall.
Please run it twice, rebooting in between the first and second run.


Reboot into Safe Mode and enable viewing of Hidden and System files.


Start HJT and click on the SCAN button. Put a check mark in front of the following lines if they still show:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)

O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\Run: [regservices.exe] regservices.exe
O4 - HKLM\..\Run: [Systesms.exe] Systesms.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\ituxsjpb.exe
O4 - HKLM\..\Run: [Task manager] TikTo.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Wpqp4] C:\windows\temp\Wpqp4.exe
O4 - HKLM\..\Run: [Microsoft Features] ms32cfg.exe
O4 - HKLM\..\Run: [6XW] C:\windows\temp\6XW.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [5MKXQCH56MK5B#] C:\WINDOWS\System32\Ocn67i0.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [334fb511f5c6] C:\WINDOWS\System32\atl39290.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\private.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [WindowsRegKeys update] winsysi.exe
O4 - HKLM\..\RunServices: [regservices.exe] regservices.exe
O4 - HKLM\..\RunServices: [Systesms.exe] Systesms.exe
O4 - HKLM\..\RunServices: [Task manager] TikTo.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Microsoft Features] ms32cfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [WindowsRegKeys update] winsysi.exe
O4 - HKCU\..\Run: [regservices.exe] regservices.exe
O4 - HKCU\..\Run: [Systesms.exe] Systesms.exe
O4 - HKCU\..\Run: [Task manager] TikTo.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [Microsoft Features] ms32cfg.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25087fbb4a052a...ip/RdxIE601.cab

With ALL OTHER WINDOWS CLOSED, click on Fix Checked.


Open Windows Explorer (Windows key+e), drill down and delete the following files if found:

C:\WINDOWS\system32\SearchBar.htm
C:\WINDOWS\System32\ituxsjpb.exe
C:\windows\temp\Wpqp4.exe
C:\windows\temp\6XW.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\Ocn67i0.exe
C:\WINDOWS\System32\atl39290.exe
C:\WINDOWS\private.exe


Use Windows Search to locate the following files and delete them: Use caution and check spelling carefully. Some of these are very similar to valid Windows files.

msconfg.exe
winsysi.exe
regservices.exe
Systesms.exe
TikTo.exe
spoolsvc.exe
ms32cfg.exe



Reboot back into normal mode, rescan and post a new HJT log. Also please let me know how things are running.
Derfram
~~~~~~

#8 donovanbond

donovanbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 06 November 2004 - 02:43 PM

Hi - I downloaded the pepper removal tool from your link. I installed on the problem laptop and connected to the internet. When I ran the tool and clicked "Find & Fix" it told me "No Pepper files were detected"

Do you want me to continue with the other steps?

#9 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 06 November 2004 - 08:42 PM

Yes, continue with the other steps. Then please post a new HJT log.
Derfram
~~~~~~

#10 donovanbond

donovanbond
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 27 November 2004 - 08:40 AM

Hiya -

Right I've done everything you've said and re-run HJT:

Logfile of HijackThis v1.98.2
Scan saved at 13:12:09, on 27/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Andy\My Documents\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096232922593


Am I free from the virus???

#11 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:08:41 AM

Posted 27 November 2004 - 11:47 AM

Your log is clean.

I see you are running AVG6 Anti-Virus from Grisoft. Grisoft will be discontinuing support for AVG6 soon. Please read these links.

http://www.grisoft.com/us/us_index.php
http://free.grisoft.com/freeweb.php/doc/2/

You will need to download AVG7 Free version as the other version will no longer give you any protection after 31st December 2004.


The following is my standard speech that I post to everyone with a clean log - and your log is now clean:

Here are some simple steps to help keep your computer clean and secure:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. If there are new critical updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. This will ensure your computer is up to date and the operating system is safe from the latest threats.


Use an AntiVirus Software - It is very important that you have an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Equally as important is that you keep your AV up to date. Set it to auto-update if that option is available, otherwise update it at least weekly. If you do not keep your antivirus current, then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

The firewall built into Windows XP is better than nothing, but third party firewalls offer more complete protection. A very good firewall, with a free for personal use version, is ZoneAlarm, available from Zone Labs. Firewalls are also part of the Symantec and McAfee Security Suites.

You can test your firewall at one of the following sites:
Symantec Security: http://security.symantec.com
Gibson Research: http://www.grc.com (follow the links to Shield's-Up!)
DSL Reports Port Scanner: http://www.dslreports.com/scan

For a more in-depth tutorial, and an expanded listing of available firewalls, see
Understanding and Using Firewalls.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
A in-depth treatise on IE privacy and security by Eric Howes can be found here


Install Spybot - Search and Destroy - Download and install the latest version of Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer as an adjunct to your virus protection. Keep this program updated and scan your system periodically with it just as you do with your antivirus software.

A tutorial on installing & using this product can be found at:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers


Install Ad-Aware SE - Download and install the latest version of Ad-Aware SE. Keep this program updated and use it to scan for malware on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found at:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from downloading and running known malicious programs.

A tutorial on installing & using this product can be found at:
Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Finally, practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will, but sometimes it won't.

Follow this list and your potential for being infected again will be dramatically reduced.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users