Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dluca.trojan & Adverts.trojan


  • Please log in to reply
8 replies to this topic

#1 garly

garly

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 15 January 2006 - 09:21 PM

hi all,

first time here for posting, hope someone can help me. My partners computer is running Windows ME, about 5 yrs old, and when we run Ad-Aware SE we keepgetting an error telling us about Win32.Adverts.TrojanDownloader & Win32.Dluca.Trojan Downloader. Doesnt seem to be infecting anything but am concerned about the potential for it to do so, not knowing what it is.
Ad Aware & HiJack this logs below.

Thanks in advance

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, 30 December 2005 10:36:11 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R84 28.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):5 total references
Win32.Adverts.TrojanDownloader(TAC index:6):4 total references
Win32.Dluca.TrojanDownloader(TAC index:6):4 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


30-12-2005 10:36:11 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293883665
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294950001
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294958149
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294952577
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294862149
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294859881
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294841237
Threads : 14
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:8 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294810729
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:9 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294835081
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:10 [CPQEADM.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294714749
Threads : 1
Priority : Normal
FileVersion : 6.00.007
ProductVersion : 6.00.007
ProductName : Compaq Easy Access Button Support
CompanyName : Compaq Computer Corporation
FileDescription : Easy Access Software Demon
InternalName : CPQEADM
LegalCopyright : Copyright © 2000
OriginalFilename : CPQEADM.exe

#:11 [CPQINET.EXE]
FilePath : C:\COMPAQ\CPQINET\
ProcessID : 4294708637
Threads : 3
Priority : Normal
FileVersion : 3, 0, 2, 7
ProductVersion : 2, 2, 0, 0
ProductName : CPQINET
CompanyName : Compaq Computer Corporation
FileDescription : CPQInet
InternalName : CPQInet
LegalCopyright : Copyright © 2000, 2001
LegalTrademarks : All Rights Reserved
OriginalFilename : CPQInet.exe
Comments : Compaq Internet Runtime Service

#:12 [DEVGULP.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\
ProcessID : 4294730269
Threads : 2
Priority : Normal
FileVersion : 1, 4, 4, 0
ProductVersion : 1, 4, 4, 0
ProductName : Digital Dashboard (LCD) Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Device Detective & Internet Alive
InternalName : DevGulp
LegalCopyright : Copyright Compaq Computer Corporation, 1999-2000
LegalTrademarks : Compaq
OriginalFilename : DevGulp.EXE
Comments : Device Detective & Internet Alive

#:13 [SCCENTER.EXE]
FilePath : C:\CPQS\BWTOOLS\
ProcessID : 4294726397
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
ProductName : SCCenter Module
CompanyName : Compaq Computer Corporation
FileDescription : SCCenter Module
InternalName : SCCenter
LegalCopyright : Copyright 1999
LegalTrademarks : All rights reserved
OriginalFilename : SCCenter.EXE

#:14 [TBPT.EXE]
FilePath : C:\PROGRAM FILES\TELSTRA\SIGNUP\
ProcessID : 4294746173
Threads : 1
Priority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 00, 6, 1
ProductName : Telstra Big Pond Launcher
CompanyName : Telstra Big Pond
FileDescription : Telstra Home Page Launcher
InternalName : Telstra Web Comp
LegalCopyright : Copyright © 2000
LegalTrademarks : HyperDyne ®
OriginalFilename : tbpt.exe
Comments : hd@hyperdyne.com.au

#:15 [NSCNTRL.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294745593
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 24
ProductVersion : 3, 0, 0, 24

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Process
Data : NSCNTRL.EXE
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\
FileVersion : 3, 0, 0, 24
ProductVersion : 3, 0, 0, 24

Warning! Win32.Adverts.TrojanDownloader Object found in memory(C:\WINDOWS\SYSTEM\NSCNTRL.EXE)

"C:\WINDOWS\SYSTEM\NSCNTRL.EXE"Process terminated successfully

#:16 [LOADQM.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294740945
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:17 [MSNAPPAU.EXE]
FilePath : C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-AU\
ProcessID : 4294770197
Threads : 2
Priority : Normal


#:18 [WDINFO.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294762353
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 30
ProductVersion : 3, 0, 0, 30

#:19 [BTTNSERV.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294652725
Threads : 5
Priority : Normal
FileVersion : 4.00.061
ProductVersion : 4.00.061
ProductName : BttnServ Module
CompanyName : Compaq Computer Corporation
FileDescription : Button Server
InternalName : BttnServ
LegalCopyright : Copyright 1997-1999 Compaq Computer Corporation
OriginalFilename : BttnServ.exe
Comments : 4.00.061

#:20 [OPWARESE2.EXE]
FilePath : C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\
ProcessID : 4294651101
Threads : 1
Priority : Normal
FileVersion : 12.0
ProductVersion : 2.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc.
FileDescription : OCR Aware (32-bit)
InternalName : OPWARE12.EXE
LegalCopyright : Copyright © 1995-2003 ScanSoft, Inc.
LegalTrademarks : ScanSoft, OmniPage and OmniPage SE are registered trademarks of ScanSoft, Inc. in the United States and/or other countries.

OriginalFilename : OPWARE12.EXE

#:21 [MSQSRC.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYSTEM\
ProcessID : 4294766721
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 33
ProductVersion : 3, 0, 0, 33

#:22 [HIDSERV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294707117
Threads : 3
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : HIDSERV.EXE

#:23 [RunDLL.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294659925
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:24 [MSNMSGR.EXE]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294822417
Threads : 1
Priority : Normal
FileVersion : 7.0.0816
ProductVersion : 7.0.0816
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:25 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294672605
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:26 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294585929
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:27 [WKCALREM.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4294591593
Threads : 2
Priority : Normal
FileVersion : 5.00.1928.1
ProductVersion : 5.00.1928.1
ProductName : Microsoft® Works 2000
CompanyName : Microsoft® Corporation
FileDescription : Microsoft® Works Calendar Reminder Service
InternalName : WkCalRem
LegalCopyright : © 1999 Microsoft Corp. All rights reserved.
OriginalFilename : WKCALREM.EXE

#:28 [EAUSBKBD.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294565893
Threads : 7
Priority : Normal
FileVersion : 6.00.116
ProductVersion : 6.00.116
ProductName : Compaq Easy Access Keyboard Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Compaq Easy Access USB Keyboard Driver
InternalName : EAUSBKBD
LegalCopyright : Copyright © 1999-2000 Compaq Computer Corporation
OriginalFilename : EAUSBKBD.EXE
Comments : VA

#:29 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294471157
Threads : 3
Priority : Normal
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : Protected storage server

#:30 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294539321
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{00000000-0000-0000-0000-000000000001}

Win32.Dluca.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : CCINFO

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : GetInfoRetryCounter

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 10


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\program data

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\program info

Win32.Dluca.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\infosoft

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 13

10:41:36 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:24.940
Objects scanned:103663
Objects identified:8
Objects ignored:0
New critical objects:8



Logfile of HijackThis v1.99.1
Scan saved at 9:43:29 AM, on 15/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\NSCNTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-AU\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WDINFO.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MS1SRC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-AU\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-AU\MSNTB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [Update Local] C:\Windows\SETCPQLC.EXE
O4 - HKLM\..\Run: [Update for Works] C:\Windows\MSWKSTZ.EXE
O4 - HKLM\..\Run: [nscntrl] c:\windows\system\nscntrl.exe /nocomm
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe"
O4 - HKLM\..\Run: [WDInfo] c:\windows\system\wdinfo.exe /nocomm
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYAU
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:03 AM

Posted 21 January 2006 - 07:23 AM

Hi,

Sorry for this delay. Post please a fresh hijackthis log if you still have problems.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 garly

garly
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 21 January 2006 - 10:57 PM

hi, thanks for responding. same logs are still valid. havent been able to progress any further.

Thanks

Glenn B

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:03 AM

Posted 22 January 2006 - 04:17 AM

Your log is one week old. If you need assistance please post a fresh one.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 garly

garly
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 23 January 2006 - 02:05 AM

hi, thanks again. i wont be at her house until Wednesday night Australian time so i will post it then.

Glenn B

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:03 AM

Posted 23 January 2006 - 04:16 PM

OK, no problem.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 garly

garly
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 30 January 2006 - 09:10 PM

new logs as of Sunday 29 Jan

Logfile of HijackThis v1.99.1
Scan saved at 6:23:18 PM, on 29/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-AU\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WDINFO.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\OPWARESE2.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MS1SRC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-AU\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-AU\MSNTB.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [Update Local] C:\Windows\SETCPQLC.EXE
O4 - HKLM\..\Run: [Update for Works] C:\Windows\MSWKSTZ.EXE
O4 - HKLM\..\Run: [nscntrl] c:\windows\system\nscntrl.exe /nocomm
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe"
O4 - HKLM\..\Run: [WDInfo] c:\windows\system\wdinfo.exe /nocomm
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYAU
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab


Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, 29 January 2006 6:11:41 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R84 28.12.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):11 total references
Tracking Cookie(TAC index:3):14 total references
Win32.Adverts.TrojanDownloader(TAC index:6):4 total references
Win32.Dluca.TrojanDownloader(TAC index:6):8 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


29-01-2006 6:11:41 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293884369
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294947505
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294955653
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294953025
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294863749
Threads : 2
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294858201
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294870493
Threads : 16
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:8 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294832357
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:9 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294829157
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:10 [HIDSERV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294734369
Threads : 3
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : HIDSERV.EXE

#:11 [CPQEADM.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294721313
Threads : 1
Priority : Normal
FileVersion : 6.00.007
ProductVersion : 6.00.007
ProductName : Compaq Easy Access Button Support
CompanyName : Compaq Computer Corporation
FileDescription : Easy Access Software Demon
InternalName : CPQEADM
LegalCopyright : Copyright © 2000
OriginalFilename : CPQEADM.exe

#:12 [CPQINET.EXE]
FilePath : C:\COMPAQ\CPQINET\
ProcessID : 4294730929
Threads : 3
Priority : Normal
FileVersion : 3, 0, 2, 7
ProductVersion : 2, 2, 0, 0
ProductName : CPQINET
CompanyName : Compaq Computer Corporation
FileDescription : CPQInet
InternalName : CPQInet
LegalCopyright : Copyright © 2000, 2001
LegalTrademarks : All Rights Reserved
OriginalFilename : CPQInet.exe
Comments : Compaq Internet Runtime Service

#:13 [DEVGULP.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\
ProcessID : 4294724309
Threads : 2
Priority : Normal
FileVersion : 1, 4, 4, 0
ProductVersion : 1, 4, 4, 0
ProductName : Digital Dashboard (LCD) Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Device Detective & Internet Alive
InternalName : DevGulp
LegalCopyright : Copyright Compaq Computer Corporation, 1999-2000
LegalTrademarks : Compaq
OriginalFilename : DevGulp.EXE
Comments : Device Detective & Internet Alive

#:14 [SCCENTER.EXE]
FilePath : C:\CPQS\BWTOOLS\
ProcessID : 4294730729
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
ProductName : SCCenter Module
CompanyName : Compaq Computer Corporation
FileDescription : SCCenter Module
InternalName : SCCenter
LegalCopyright : Copyright 1999
LegalTrademarks : All rights reserved
OriginalFilename : SCCenter.EXE

#:15 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294748841
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:16 [NSCNTRL.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294747749
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 24
ProductVersion : 3, 0, 0, 24

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Process
Data : NSCNTRL.EXE
TAC Rating : 6
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\
FileVersion : 3, 0, 0, 24
ProductVersion : 3, 0, 0, 24

Warning! Win32.Adverts.TrojanDownloader Object found in memory(C:\WINDOWS\SYSTEM\NSCNTRL.EXE)

"C:\WINDOWS\SYSTEM\NSCNTRL.EXE"Process terminated successfully

#:17 [BTTNSERV.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294738697
Threads : 5
Priority : Normal
FileVersion : 4.00.061
ProductVersion : 4.00.061
ProductName : BttnServ Module
CompanyName : Compaq Computer Corporation
FileDescription : Button Server
InternalName : BttnServ
LegalCopyright : Copyright 1997-1999 Compaq Computer Corporation
OriginalFilename : BttnServ.exe
Comments : 4.00.061

#:18 [LOADQM.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294767733
Threads : 3
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:19 [MSNAPPAU.EXE]
FilePath : C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-AU\
ProcessID : 4294757485
Threads : 2
Priority : Normal


#:20 [WDINFO.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294651093
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 30
ProductVersion : 3, 0, 0, 30

#:21 [OPWARESE2.EXE]
FilePath : C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE2.0\
ProcessID : 4294642553
Threads : 1
Priority : Normal
FileVersion : 12.0
ProductVersion : 2.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc.
FileDescription : OCR Aware (32-bit)
InternalName : OPWARE12.EXE
LegalCopyright : Copyright © 1995-2003 ScanSoft, Inc.
LegalTrademarks : ScanSoft, OmniPage and OmniPage SE are registered trademarks of ScanSoft, Inc. in the United States and/or other countries.

OriginalFilename : OPWARE12.EXE

#:22 [MS1SRC.EXE]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYSTEM\
ProcessID : 4294667637
Threads : 1
Priority : Normal
FileVersion : 3, 0, 0, 35
ProductVersion : 3, 0, 0, 35

#:23 [RunDLL.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294677829
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:24 [MSNMSGR.EXE]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294699277
Threads : 1
Priority : Normal
FileVersion : 7.0.0816
ProductVersion : 7.0.0816
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:25 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294587865
Threads : 4
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:26 [EAUSBKBD.EXE]
FilePath : C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\
ProcessID : 4294633325
Threads : 7
Priority : Normal
FileVersion : 6.00.116
ProductVersion : 6.00.116
ProductName : Compaq Easy Access Keyboard Support Software
CompanyName : Compaq Computer Corporation
FileDescription : Compaq Easy Access USB Keyboard Driver
InternalName : EAUSBKBD
LegalCopyright : Copyright © 1999-2000 Compaq Computer Corporation
OriginalFilename : EAUSBKBD.EXE
Comments : VA

#:27 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294559413
Threads : 3
Priority : Normal
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : Protected storage server

#:28 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294538005
Threads : 2
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 12


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{00000000-0000-0000-0000-000000000001}

Win32.Dluca.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : LastWNK

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : DaytimeDocID

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : DaytimeDocTime

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : GetInfoRetryCounter

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : VNPIN

Win32.Dluca.TrojanDownloader Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\infosoft\qsearch
Value : CCINFO

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 8
Objects found so far: 20


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:15
Value : Cookie:adam@trafficmp.com/
Expires : 17-01-2007 4:57:52 PM
LastSync : Hits:15
UseCount : 0
Hits : 15

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:adam@imrworldwide.com/cgi-bin
Expires : 15-01-2016 5:03:50 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:adam@overture.com/
Expires : 15-01-2016 4:34:26 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:adam@tribalfusion.com/
Expires : 1-01-2038 11:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:14
Value : Cookie:adam@casalemedia.com/
Expires : 8-01-2007 11:47:24 AM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:adam@fastclick.net/
Expires : 17-01-2008 5:02:36 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@media.fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:adam@media.fastclick.net/
Expires : 17-01-2006 6:04:10 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 27



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@trafficmp[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@trafficmp[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@overture[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@overture[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@casalemedia[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@casalemedia[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@media.fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@media.fastclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@fastclick[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@tribalfusion[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@tribalfusion[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : adam@cgi-bin[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\adam@cgi-bin[2].txt

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 34


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\program data

Win32.Adverts.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\program info

Win32.Dluca.TrojanDownloader Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\infosoft

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 37

6:16:47 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:05:05.820
Objects scanned:99073
Objects identified:26
Objects ignored:0
New critical objects:26

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:06:03 AM

Posted 01 February 2006 - 12:23 AM

Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop. Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a checkmark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

O4 - HKLM\..\Run: [nscntrl] c:\windows\system\nscntrl.exe /nocomm
O4 - HKLM\..\Run: [WDInfo] c:\windows\system\wdinfo.exe /nocomm
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBzeb030YYAU

O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
c:\windows\system\nscntrl.exe <-- this file
c:\windows\system\wdinfo.exe <-- this file
c:\program files\common files\system\ms1src.exe <-- this file


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run this online scan:
Kaspersky Online Scanner: http://www.kaspersky.com/virusscanner

Copy and post the log please.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 garly

garly
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 01 February 2006 - 12:57 AM

hi,

thanks for your response. As she lives over 4 hours away, i wont get to do this until 3 weeks time. i shall reply and post new logs then.

Thanks again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users