Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Bowie


  • Please log in to reply
9 replies to this topic

#1 Bowie

Bowie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 01 December 2004 - 01:00 AM

Hi folks,

Would greatly appreciate help on trying to bring my hijack to a non-violent conclusion. My log from hijackThis is below. Other, perhaps releveant, information:

- I have run Spybot and Ad-aware Search & Destroy
- I have also used McAfee anti-spyware
- When I run Spybot I continually end up with 'DCO Exploit' and cannot seem to be rid of it. Of course when I re-boot i end up with all of its friends once again........
- I seem to be re-directed to 'slotch.com'

I hope you can help. Many thanks in advance, Bowie. Log follows:

Logfile of HijackThis v1.98.2
Scan saved at 16:35:37, on 01/12/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\sysmgt\tngrco\RCManClient.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\sysmgt\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\ORL\VNC\WinVNC.Exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\S3Tray2.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\System32\RunDll32.exe
C:\sysmgt\TNGSD\BIN\triggusr.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINNT\paint.exe
C:\WINNT\msdos32.exe
C:\windrar.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\WINNT\site.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\WINNT\gam.exe
C:\WINNT\System32\winnt.exe
C:\gpb2.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINNT\dieset.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\dllmanager.exe
C:\WINNT\DeskBikini-153315.exe
C:\WINNT\TEMP\11299.exe
C:\WINNT\system32\cmd.exe
C:\HijackThis\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=1001613
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINNT\system32\FWNToolbar.dll
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINNT\system32\srchbar.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [CfgDownload] C:\IXOS-ARCHIVE\bin\CfgDownload.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINNT\paint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINNT\msdos32.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Spool] C:\windrar.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINNT\site.exe
O4 - HKLM\..\Run: [Adobe] C:\WINNT\gam.exe
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\Run: [Services] C:\gpb2.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Printer] C:\WINNT\dieset.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [dlite] dllmanager.exe
O4 - HKLM\..\RunOnce: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\RunOnce: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O4 - HKCU\..\RunOnce: [USB Device] win32usb.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/23433cad66a70f5ab305/netzip/RdxIE2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://sbsmelhr02.corpmel.bhp.com.au/activex/OrgPubX.cab

BC AdBot (Login to Remove)

 


m

#2 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 AM

Posted 01 December 2004 - 02:42 AM

Greetings Bowie

You have a large collection of malware taking up residence in your computer including a number of worms, bots and trojans.

Let's begin to clean things up.

IMPORTANT
You must be connected to the Internet and you must stay connected throughout this process.
Close Internet Explorer and keep it closed throughout this process.

Print out these instructions as you will not be able to refer to them here with your browser closed.

In "Control Panel" go to Add/Remove Programs and uninstall any of the following if present.

Active alert

Internet Optimizer

ISTSvc

Sidefind

Slotchbar

Software Update Manager

Uninstall 180 Search Assistant

Continue to press the uninstall button when it prompts you.

Viewpoint Media Player

WSEM Update



Please place a check mark for these entries in HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=1001613
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.ht...ount_id=1001613
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINNT\system32\FWNToolbar.dll
O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - C:\WINNT\system32\srchbar.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/23433cad66a70f5ab305/netzip/RdxIE2.cab


Using Windows Explorer, navigate to C:\Program Files and delete these folders in bold if they exist.


c:\program files\180Solutions<-----this folder
c:\program files\AWS<-----this folder
c:\program files\Internet Optimizer<-----this folder
c:\program files\ISTBar<-----this folder
c:\program files\Powerscan<-----this folder
c:\program files\SideFind<-----this folder

- REBOOT

Download a free trial version of Trojan Hunter HERE

Let it fix all that it finds. Save the log, copy/paste it here so I may review it.

- REBOOT

There is more that will need to be done.
Run another HJT scan and post a fresh log here for further review.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#3 Bowie

Bowie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 02 December 2004 - 12:35 AM

Tx for the help so far Indrid Cold.

I did as you suggested and below I've pasted the log from TrojanHunter Scan and then the post-TrojanHunter HijackThis scan.

A couple of points I presume are relevant:

- I couldn't delete folder C:\Program files\Sidefinder because "sfbho.dll file is being used by Windows"
- I couldn't delete C:\Program Files\Internet Optimizer because "source file may be in use"
- TrojanHunter came up with three suspicious files
1. C:\WINNT\system32\msgrsv32.exe
2. C:\WINNT\system32\windnsd.exe
3. C:\WINNT\system32\wins32.exe
- Now that I've re-booted, i notice that at least one folder I'd previously deleted is back ! (Powerscan)

TrojanHunter scan log follows:

Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA (matches Adware.AvenueMedia.Dyfuca.102)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer (matches Adware.AvenueMedia.InternetOptimizer.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Avenue Media\Internet Optimizer (matches Adware.AvenueMedia.InternetOptimizer.100)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Internet Optimizer (matches Adware.AvenueMedia.InternetOptimizer.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer Active Alert (matches Adware.AvenueMedia.InternetOptimizer.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\ADP.UrlCatcher (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Bargains (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\ADP.UrlCatcher.1 (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy (matches Adware.BargainBuddy.101)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FWN Toolbar (matches Adware.FindWhateverNow.Toolbar.100)
Registry key exists: HKEY_CLASSES_ROOT\FWN.FWNToolbar (matches Adware.FindWhateverNow.Toolbar.100)
Registry key exists: HKEY_CLASSES_ROOT\FWN.ISubclass (matches Adware.FindWhateverNow.Toolbar.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{BCAA3A19-1051-4C2F-88B9-4D05985AA2C6} (matches Adware.FindWhateverNow.Toolbar.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD} (matches Adware.GlobalWebSearch.Toolbar.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YourSiteBar (matches Adware.IST-YourSiteBar.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{86227D9C-0EFE-4f8a-AA55-30386A3F5686} (matches Adware.IST-YourSiteBar.100)
Registry key exists: HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6} (matches Adware.IST-YourSiteBar.100)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{5F1ABCDB-A875-46c1-8345-B72A4567E486} (matches Adware.ISTBar.208)
Registry key exists: HKEY_CURRENT_USER\Software\IST (matches Adware.ISTBar.211)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\ISTsvc (matches Adware.ISTBar.211)
Registry key exists: HKEY_CLASSES_ROOT\LocalNRDDll.LocalNRDDllObj.1 (matches Adware.LocalNRD.100)
Registry key exists: HKEY_CLASSES_ROOT\CLSID\{00320615-B6C2-40A6-8F99-F1C52D674FAD} (matches Adware.LocalNRD.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (matches Adware.TargetSaver.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\TSA (matches Adware.TargetSaver.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSL Installer (matches Adware.TargetSaver.100)
Inifile scan
No suspicious entries found
Port scan
Port 3333/TCP is open (Matches Daodan.123. Port being used by process windnsd.exe/PID 520) (Tell me more about port alerts...)
Port 4288/TCP is open (Matches MoSucker.300. Port being used by process systemconfig.exe/PID 996) (Tell me more about port alerts...)
Port 3410/TCP is open (Matches OptixPro.100. Port being used by process windnsd.exe/PID 520) (Tell me more about port alerts...)
Port 3410/TCP is open (Matches OptixPro.110. Port being used by process windnsd.exe/PID 520) (Tell me more about port alerts...)
Memory scan
Found trojan module ysb.dll loaded into process iexplore.exe (2068): Adware.IST-YourSiteBar.101
Found trojan module istbar.dll loaded into process iexplore.exe (2068): Adware.ISTBar.220
Found trojan module nem220.dll loaded into process iexplore.exe (2068): Adware.AvenueMedia.Dyfuca.104
Found trojan module localNRD.dll loaded into process iexplore.exe (2068): Adware.LocalNRD.102
File scan
Found trojan file: C:\DeskBikini-Marc99.exe (Adware.MediaMotor.101)
Found trojan file: C:\DeskBikini.exe (Adware.MediaMotor.101)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\bb.exe (Adware.BargainBuddy.104)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\GLF12GLF12.EXE (Adware.TargetSaver.102)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.ocx (Adware.MediaTickets.105)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\ICD3.tmp\WinTaskAdX.dll/gHERxaeX.exe (Adware.WindUpdates.SyncroAd.107)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\optimize.exe (Adware.AvenueMedia.Dyfuca.105)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\powerscan.exe/CuU.exe (Adware.IST-PowerScan.101)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temp\sidefind.exe/fjif1d.exe (Adware.SideFind.100)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\01I7S523\prompt[1].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\01I7S523\prompt[2].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\01I7S523\prompt[3].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\01I7S523\prompt[4].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\G1YVSHY3\prompt[1].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\G1YVSHY3\prompt[2].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[10].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[1].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[2].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[3].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[4].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[5].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[6].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[7].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[8].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\O1YFKDIV\prompt[9].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[1].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[2].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[3].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[4].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[5].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[6].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[7].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\AEBOWM\Local Settings\Temporary Internet Files\Content.IE5\Y70D6J0N\prompt[8].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\347TNGQH\nem220[1].dll/OmU2.exe (Adware.AvenueMedia.Dyfuca.104)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\347TNGQH\sidefind[1].exe/x959gNx.exe (Adware.SideFind.100)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\347TNGQH\wsem302[1].dll/oFLOxml.exe (Adware.AvenueMedia.Dyfuca.102)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\5A6JEM9I\ncase_new[1].exe/5DFM7PS.exe (Adware.180SearchAssistant.100)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\5A6JEM9I\ncase_new[1].exe (Adware.180SearchAssistant.102)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\5A6JEM9I\powerscan[1].exe/2mx.exe (Adware.IST-PowerScan.101)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\KU4HWGYY\istbar_mainstream[1].dll/S8Ex.exe (Adware.ISTBar.220)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\KU4HWGYY\optimize[1].exe (Adware.AvenueMedia.Dyfuca.105)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\KU4HWGYY\prompt[1].htm (Adware.ISTBar.201)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\RVW98Q1M\actalert[1].exe (Adware.AvenueMedia.InternetOptimizer.100)
Found trojan file: C:\Documents and Settings\c50rrsadm\Local Settings\Temporary Internet Files\Content.IE5\RVW98Q1M\istsvc[1].exe (Adware.ISTBar.220)
Found trojan file: C:\HijackThis\backups\backup-20041202-094533-234.dll/hTyk.exe (Adware.BlazeFind.SearchRelevancy.100)
Found trojan file: C:\PCSkins.exe (Adware.MediaMotor.101)
Found trojan file: C:\Program Files\180Solutions\sais.exe/UaWhlKYk.exe (Adware.180SearchAssistant.100)
Found trojan file: C:\Program Files\180Solutions\sais.exe (Adware.180SearchAssistant.102)
Found trojan file: C:\Program Files\180Solutions\saishook.dll (Adware.180SearchAssistant.100)
Found trojan file: C:\Program Files\BullsEye Network\bin\adv.exe (Adware.eXact.Advertising.101)
Found trojan file: C:\Program Files\BullsEye Network\bin\adx.exe (Adware.eXact.Advertising.101)
Found trojan file: C:\Program Files\BullsEye Network\bin\bargains.exe (Adware.eXact.Advertising.101)
Found trojan file: C:\Program Files\BullsEye Network\Uninstall.exe (Adware.BargainBuddy.101)
Found trojan file: C:\Program Files\BullsEye Network\Uninstall.exe (Adware.BargainBuddy.104)
Found trojan file: C:\Program Files\Common Files\tsa\ts2.exe (Adware.TargetSaver.102)
Found trojan file: C:\Program Files\Common Files\tsa\tsl.exe (Adware.TargetSaver.101)
Found trojan file: C:\Program Files\Common Files\tsa\tsl2.exe (Adware.TargetSaver.102)
Found trojan file: C:\Program Files\Common Files\tsa\tsm2.exe (Adware.TargetSaver.102)
Found trojan file: C:\Program Files\Common Files\tsa\tsp2.exe (Adware.TargetSaver.102)
Found trojan file: C:\Program Files\Common Files\tsa\tsuninst.exe (Adware.TargetSaver.102)
Found trojan file: C:\Program Files\IBM\SMA\CheckVer.exe (Moses.110)
Found trojan file: C:\Program Files\Internet Optimizer\actalert.exe (Adware.AvenueMedia.InternetOptimizer.100)
Found trojan file: C:\Program Files\Internet Optimizer\optimize.exe (Adware.AvenueMedia.Dyfuca.105)
Found trojan file: C:\Program Files\Internet Optimizer\update\actalert.exe (Adware.AvenueMedia.InternetOptimizer.100)
Found trojan file: C:\Program Files\ISTbar\istbar.dll/ETXkdg.exe (Adware.ISTBar.220)
Found trojan file: C:\Program Files\ISTsvc\istsvc.exe (Adware.ISTBar.220)
Found trojan file: C:\Program Files\Power Scan\powerscan.exe/LwbQY.exe (Adware.IST-PowerScan.101)
Found trojan file: C:\Program Files\SAP\iTutor\AgentSpk.dll (TrojanDownloader.WebDown.100)
Found trojan file: C:\Program Files\SearchRelevancy\uninstall.exe (Adware.BlazeFind.SearchRelevancy.100)
Found trojan file: C:\Program Files\SideFind\update\sidefind.exe/a1R8EdE.exe (Adware.SideFind.100)
Found trojan file: C:\Program Files\Windows TaskAd\WinProject.dll/6aPljZl.exe (Adware.WindUpdates.SyncroAd.108)
Found trojan file: C:\Program Files\Windows TaskAd\WinSched.exe/hzo.exe (Adware.WindUpdates.SyncroAd.100)
Found trojan file: C:\Program Files\Windows TaskAd\WinTaskAd.exe/D8X9K.exe (Adware.WindUpdates.SyncroAd.100)
Found trojan file: C:\Program Files\YourSiteBar\ys2.dll/YYi.exe (Adware.IST-YourSiteBar.101)
Found trojan file: C:\Program Files\YourSiteBar\ysb.dll/cVqBepB.exe (Adware.IST-YourSiteBar.101)
Found trojan file: C:\RECYCLER\S-1-5-21-118315151-717182974-2099212325-1710\Dc35\powerscan.exe/QOiZIl.exe (Adware.IST-PowerScan.101)
Found trojan file: C:\temp\SearchRelevancy.exe (Adware.BlazeFind.SearchRelevancy.100)
Found trojan file: C:\Toolbar.exe (Adware.MediaMotor.101)
Found trojan file: C:\winexec.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\Desk2.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\DeskBikini-153315.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\DesktopDoodle-153315.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\Downloaded Program Files\WinTaskAdX.dll/SRAY.exe (Adware.WindUpdates.SyncroAd.107)
Found trojan file: C:\WINNT\Downloaded Program Files\YSBactivex.dll/LBc.exe (Adware.ISTBar.215)
Found trojan file: C:\WINNT\lesbiansearchbar-153315.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\localNRD.dll (Adware.LocalNRD.102)
Found trojan file: C:\WINNT\lyxib.exe (Adware.180SearchAssistant.100)
Found trojan file: C:\WINNT\MovieSearchbar-153315.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\MovieSearchbar-Marc99.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\NaughtyPlayer-153315.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\NaughtyPlayer-Marc99.exe (Adware.MediaMotor.101)
Found trojan file: C:\WINNT\nem220.dll/ZNj4b.exe (Adware.AvenueMedia.Dyfuca.104)
Found trojan file: C:\WINNT\preInsln.exe (Adware.BetterInternet.101)
Found trojan file: C:\WINNT\system32\exclean.exe (Adware.BargainBuddy.104)
Found trojan file: C:\WINNT\system32\kqgsjypk.exe/Il4qmay.exe (Adware.BetterInternet.101)
Found possible trojan file: C:\WINNT\system32\msgrsv32.exe (Suspicious: PECompact-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINNT\system32\Toolbar.exe (Adware.MediaMotor.101)
Found possible trojan file: C:\WINNT\system32\windnsd.exe (Suspicious: PECompact-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\WINNT\system32\wins32.exe (Suspicious: TeLock-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\WINNT\Temp\AcsProxyStub.exe (Adware.FireFly.100)
Found trojan file: C:\WINNT\Temp\optimize.exe (Adware.AvenueMedia.Dyfuca.105)
Found trojan file: C:\WINNT\Temp\powerscan.exe/VKyk.exe (Adware.IST-PowerScan.101)
Found trojan file: C:\WINNT\Temp\sidefind.exe/Msg.exe (Adware.SideFind.100)
Found trojan file: C:\WINNT\Temp\THI71D9.tmp\localNRD.dll (Adware.LocalNRD.102)
Found trojan file: C:\WINNT\Temp\THI71D9.tmp\polall1l.exe/9LV1q.exe (Adware.BetterInternet.101)
Found trojan file: C:\WINNT\Temp\THI71D9.tmp\preInsln.exe (Adware.BetterInternet.101)
Found trojan file: C:\WINNT\Temp\thin.exe (Adware.BetterInternet.100)
Found trojan file: C:\WINNT\wsem302.dll/CMIXbK.exe (Adware.AvenueMedia.Dyfuca.102)
Found trojan file: C:\wins98.exe/OOJi8Gh.exe (Adware.WinUpdate.102)
Found trojan file: C:\wintools.exe (Adware.MediaMotor.101)
Error: Directory not found: D:\
106 trojan files found
3 possible trojan files found


HJT Log follow:

Logfile of HijackThis v1.98.2
Scan saved at 16:04:44, on 02/12/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\SYSMGT\TNGDTS\CAM\bin\cam.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\sysmgt\tngrco\RCManClient.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\sysmgt\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\SYSMGT\TNGDTS\bin\tngdta.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\sysmgt\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\ORL\VNC\WinVNC.Exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\S3Tray2.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\System32\RunDll32.exe
C:\sysmgt\TNGSD\BIN\triggusr.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINNT\paint.exe
C:\WINNT\msdos32.exe
C:\windrar.exe
C:\WINNT\site.exe
C:\WINNT\gam.exe
C:\WINNT\System32\winnt.exe
C:\WINNT\System32\iexplore.exe
C:\gpb2.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINNT\System32\win32usb.exe
C:\WINNT\dieset.exe
C:\WINNT\System32\windnsd.exe
C:\WINNT\System32\msgrsv32.exe
C:\WINNT\System32\systemconfig.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\wins32.exe
C:\WINNT\NaughtyPlayer-Marc99.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINNT\explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\TEMP\1122E.exe
C:\DeskBikini.exe
C:\WINNT\TEMP\11232.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\HijackThis\HijackThis.exe
C:\WINNT\System32\dllmanager.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\System32\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll (file missing)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem302.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [CfgDownload] C:\IXOS-ARCHIVE\bin\CfgDownload.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [nternet Explorer] iexplore.exe
O4 - HKLM\..\Run: [winlogin.exe] C:\WINNT\paint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINNT\msdos32.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\Run: [Spool] C:\windrar.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINNT\site.exe
O4 - HKLM\..\Run: [Adobe] C:\WINNT\gam.exe
O4 - HKLM\..\Run: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\Run: [Services] C:\gpb2.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Printer] C:\WINNT\dieset.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [lyxib] C:\WINNT\lyxib.exe
O4 - HKLM\..\Run: [msrepair] msrepair.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [ldycrttdyn] C:\WINNT\System32\kqgsjypk.exe
O4 - HKLM\..\Run: [svshost32] C:\WINNT\System32\msgrsv32.exe
O4 - HKLM\..\Run: [M1cr0s0ft S3rcurity] systemconfig.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [Microsoft Security Management] winnt.exe
O4 - HKLM\..\RunServices: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\RunServices: [msrepair] msrepair.exe
O4 - HKLM\..\RunServices: [M1cr0s0ft S3rcurity] systemconfig.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKLM\..\RunOnce: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [Windows DNS Daemon] windnsd.exe
O4 - HKLM\..\RunOnce: [msrepair] msrepair.exe
O4 - HKLM\..\RunOnce: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [USB Device] win32usb.exe
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\Run: [msrepair] msrepair.exe
O4 - HKCU\..\RunOnce: [nternet Explorer] iexplore.exe
O4 - HKCU\..\RunOnce: [Windows DNS Daemon] windnsd.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O4 - HKCU\..\RunOnce: [msrepair] msrepair.exe
O4 - HKCU\..\RunOnce: [USB Device] win32usb.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://sbsmelhr02.corpmel.bhp.com.au/activex/OrgPubX.cab

Appreciate further help if possible. Best regards, Bowie

#4 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 AM

Posted 02 December 2004 - 01:36 AM

Looks as though we have some work to do. Give me some time to look over the logs and I will be back to you as soon as I can.

In the meantime, let's see what these on-line scans will cough up.

BitDefender

TrendMicro

Kaspersky

Let them fix all that they find.

You mentioned having all ready run Spybot and Ad-Aware. Did you update them both before doing so and are you using AdwareSE?
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#5 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 AM

Posted 02 December 2004 - 09:49 AM

I want to see what those scans will clean out before proceeding with any fix.

Be sure to REBOOT after each scan has completed.

Then update both Spybot and Ad-AwareSE and run them both until they report nothing found.

REBOOT

Scan again with HJT and post a fresh log.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#6 Bowie

Bowie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 December 2004 - 08:17 PM

Having some real internet access problems now Indrid_Cold.
I thought I posyted this reply yesterday but it obviously never made it.

I have updated Spybot and re-run. It cannot fix a few things it
recognises as malware - DyFuca, DSO Exploit, a Powerscan entry, etc

I update Ad Adware SE and re-ran. It hangs up after a few seconds.
Mostly it seems to ge stuck when scanning C:\so.exe

Some other perhaps relevant info:
I have some dodgy looking folders on my C drive:
- C:\Program Files\Windows TaskAd
- C:\Program Files\Search Relevancy
- C:\Program Files\EPO Agent
- C:\Program Files\DirectX

Hope you can help. Thanks and regards, Bowie



Logfile of HijackThis v1.98.2
Scan saved at 09:29:48, on 04/12/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\SYSMGT\TNGDTS\CAM\bin\cam.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\LogWatNT.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\sysmgt\tngrco\RCManClient.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\sysmgt\TNGSD\BIN\SDSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\SYSMGT\TNGDTS\bin\tngdta.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\sysmgt\TNGSD\BIN\TRIGGAG.EXE
C:\Program Files\ORL\VNC\WinVNC.Exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\System32\S3Tray2.exe
C:\WINNT\System32\PRPCUI.exe
C:\WINNT\System32\RunDll32.exe
C:\sysmgt\TNGSD\BIN\triggusr.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINNT\paint.exe
C:\WINNT\msdos32.exe
C:\WINNT\system32\windrar.exe
C:\WINNT\site.exe
C:\Program Files\Windows TaskAd\WinSched.exe
C:\WINNT\gam.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\gpb2.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINNT\dieset.exe
C:\WINNT\System32\systemconfig.exe
C:\WINNT\System32\windnsd.exe
C:\WINNT\System32\msgrsv32.exe
C:\WINNT\System32\svhost33.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\WINNT\System32\dllmanager.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINNT\System32\msrepair.exe
C:\WINNT\NaughtyPlayer-Marc99.exe
C:\WINNT\TEMP\1123A.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\explorer.exe
C:\DeskBikini.exe
C:\WINNT\TEMP\1124B.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\Toolbar.exe
C:\WINNT\TEMP\11254.exe
C:\so.exe
C:\WINNT\System32\win32usb.exe
C:\Program Files\Windows TaskAd\WinTaskAd.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\System32\taskmgr.exe
C:\HijackThis\HijackThis.exe
C:\WINNT\System32\win32usb.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll (file missing)
O3 - Toolbar: FWN Toolbar - {3D0BDAB3-12F4-471C-8966-E35A2C6C7DE7} - C:\WINNT\system32\FWNToolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [CfgDownload] C:\IXOS-ARCHIVE\bin\CfgDownload.exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [winlogin.exe] C:\WINNT\paint.exe
O4 - HKLM\..\Run: [taskmgr.exe] C:\WINNT\msdos32.exe
O4 - HKLM\..\Run: [Spool] C:\WINNT\system32\windrar.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [notepad.exe] C:\WINNT\site.exe
O4 - HKLM\..\Run: [Adobe] C:\WINNT\gam.exe
O4 - HKLM\..\Run: [Services] C:\gpb2.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Printer] C:\WINNT\dieset.exe
O4 - HKLM\..\Run: [lyxib] C:\WINNT\lyxib.exe
O4 - HKLM\..\Run: [msrepair] msrepair.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [ldycrttdyn] C:\WINNT\System32\kqgsjypk.exe
O4 - HKLM\..\Run: [svshost32] C:\WINNT\System32\msgrsv32.exe
O4 - HKLM\..\Run: [M1cr0s0ft S3rcurity] systemconfig.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [Internet Explorer] rsvp.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [Services Startup] svhost33.exe
O4 - HKLM\..\Run: [USB Device] win32usb.exe
O4 - HKLM\..\RunServices: [msrepair] msrepair.exe
O4 - HKLM\..\RunServices: [M1cr0s0ft S3rcurity] systemconfig.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [Internet Explorer] rsvp.exe
O4 - HKLM\..\RunServices: [Services Startup] svhost33.exe
O4 - HKLM\..\RunServices: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [USB Device] win32usb.exe
O4 - HKLM\..\RunOnce: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [msrepair] msrepair.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O4 - Startup: botrev.bat
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: hp officejet 4100 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://sbsmelhr02.corpmel.bhp.com.au/activex/OrgPubX.cab

#7 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 AM

Posted 05 December 2004 - 08:42 AM

Looking it over and will be back to you soon.

Did you manage to run those on-line scans I provided links to?
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals

#8 Bowie

Bowie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 December 2004 - 05:22 PM

Thanks.

I had great difficulty in running those other programs. I did get TrendMicro to run and fixed the things it threw up.

Will await your review. Regards, Bowie

#9 Bowie

Bowie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 December 2004 - 10:36 PM

Am hopefully making some progress on this. Today, I have:

1. Roved these programs via Control Panel
- FWN Toolbar
- ISTsvc
- Search Bar
- Windows TaqskAd

2. Ran HijackThis again - nothing in your previous list was in the log

3. Deleted following folders via Windows Explorer:
C:\Program files......
- \Search Relevancy
- \Web specials
- \ WinAd Client

4. Re-booted

5. re-ran AdAware SE and it worked this time ! I deleted all items it suggested (lots). Log below

6. Re-ran spybot S&D. It found a few entries and deleted them. It could not delete an entry called "DyFuca.InternetOptimzer but it might once I again re-boot.

Internet performance is now better, so hopefully am making some inroads.

Below is the Adaware SE log and then the Hjt latest scan results.

Cheers, Bowie

Ad-Aware SE Build 1.05
Logfile Created on:06 December 2004 13:36:20
Using definitions file:SE1R20 25.11.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:8):24 total references
BroadCastPC(TAC index:7):2 total references
ClickSpring(TAC index:6):3 total references
DyFuCA(TAC index:3):23 total references
Elitum.ElitebarBHO(TAC index:5):3 total references
FindWhateverNow(TAC index:7):14 total references
istbar(TAC index:6):34 total references
MRU List(TAC index:0):29 total references
Possible Browser Hijack attempt(TAC index:3):10 total references
Powerscan(TAC index:5):3 total references
SideFind(TAC index:5):39 total references
Targetsavers(TAC index:8):28 total references
Tracking Cookie(TAC index:3):5 total references
WinAD(TAC index:7):4 total references
VX2(TAC index:10):29 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


06-12-2004 13:36:20 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\mediaplayer\player\recenturllist
Description : list of recently used web addresses in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\office\9.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-118315151-717182974-2099212325-1710\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\AEBOWM\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\AEBOWM\recent
Description : list of recently opened documents


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 152
ThreadCreationTime : 06-12-2004 02:26:20
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 06-12-2004 02:26:48
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 172
ThreadCreationTime : 06-12-2004 02:26:50
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 06-12-2004 02:26:52
BasePriority : Normal
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 236
ThreadCreationTime : 06-12-2004 02:26:52
BasePriority : Normal
FileVersion : 5.00.2195.5430
ProductVersion : 5.00.2195.5430
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [ibmpmsvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 340
ThreadCreationTime : 06-12-2004 02:26:54
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 392
ThreadCreationTime : 06-12-2004 02:26:55
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 448
ThreadCreationTime : 06-12-2004 02:26:57
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 496
ThreadCreationTime : 06-12-2004 02:26:58
BasePriority : Normal
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:10 [aolacsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ProcessID : 560
ThreadCreationTime : 06-12-2004 02:27:02
BasePriority : Normal


#:11 [hidserv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 624
ThreadCreationTime : 06-12-2004 02:27:06
BasePriority : Normal
FileVersion : 5.00.2195.4875
ProductVersion : 5.00.2195.4875
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : HIDSERV.EXE

#:12 [logwatnt.exe]
FilePath : C:\WINNT\
ProcessID : 648
ThreadCreationTime : 06-12-2004 02:27:06
BasePriority : Normal


#:13 [msssrv.exe]
FilePath : C:\Program Files\McAfee\McAfee AntiSpyware\
ProcessID : 660
ThreadCreationTime : 06-12-2004 02:27:07
BasePriority : Normal
FileVersion : 1.00.1117.0
ProductVersion : 1.00.1117.0
ProductName : McAfee AntiSpyware
CompanyName : Network Associates, Inc.
FileDescription : McAfee AntiSpyware RealTime Service
InternalName : MssSrv.exe
LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : MssSrv.exe

#:14 [naimas32.exe]
FilePath : C:\Program Files\ePOAgent\
ProcessID : 688
ThreadCreationTime : 06-12-2004 02:27:07
BasePriority : Normal
FileVersion : 2.5.1.252
ProductName : ePolicy Orchestrator
CompanyName : Network Associates, Inc.
FileDescription : NAI ePolicy Orchestrator Agent
InternalName : naimas32
LegalCopyright : Copyright© 2000-2002 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : naimas32.exe

#:15 [rcmanclient.exe]
FilePath : C:\sysmgt\tngrco\
ProcessID : 708
ThreadCreationTime : 06-12-2004 02:27:09
BasePriority : Normal
FileVersion : 5.1.0.61
ProductVersion : 5.1
ProductName : Unicenter TNG Remote Control Option
CompanyName : Computer Associates International, Inc.
LegalCopyright : Copyright © Computer Associates Int'l, Inc. 1998
LegalTrademarks : TNG ™ is a trademark of Computer Associates International, Inc.
Comments : Build 5.1.0.61

#:16 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 732
ThreadCreationTime : 06-12-2004 02:27:10
BasePriority : Normal
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:17 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 752
ThreadCreationTime : 06-12-2004 02:27:10
BasePriority : Normal
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:18 [sdserv.exe]
FilePath : C:\sysmgt\TNGSD\BIN\
ProcessID : 844
ThreadCreationTime : 06-12-2004 02:27:15
BasePriority : Normal


#:19 [stisvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 864
ThreadCreationTime : 06-12-2004 02:27:15
BasePriority : Normal
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE

#:20 [wanmpsvc.exe]
FilePath : C:\WINNT\
ProcessID : 948
ThreadCreationTime : 06-12-2004 02:27:17
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:21 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 984
ThreadCreationTime : 06-12-2004 02:27:18
BasePriority : Normal
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:22 [triggag.exe]
FilePath : C:\sysmgt\TNGSD\BIN\
ProcessID : 992
ThreadCreationTime : 06-12-2004 02:27:19
BasePriority : Normal


#:23 [winvnc.exe]
FilePath : C:\Program Files\ORL\VNC\
ProcessID : 1012
ThreadCreationTime : 06-12-2004 02:27:20
BasePriority : Normal
FileVersion : 3, 3, 3, 9
ProductVersion : 3, 3, 3, 9
ProductName : AT&T Research Labs Cambridge - WinVNC
CompanyName : AT&T Research Labs Cambridge
FileDescription : VNC server for Win32
InternalName : WinVNC
LegalCopyright : Copyright AT&T Research Labs Cambridge© 1998-2001
LegalTrademarks : VNC
OriginalFilename : WinVNC.exe

#:24 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ProcessID : 924
ThreadCreationTime : 06-12-2004 02:27:20
BasePriority : Normal
FileVersion : 7.10.00.3059
ProductVersion : 7.10.00.3059
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:25 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1048
ThreadCreationTime : 06-12-2004 02:27:20
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:26 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1236
ThreadCreationTime : 06-12-2004 02:28:05
BasePriority : Normal
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:27 [tp4serv.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1292
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal
FileVersion : 3.03
ProductVersion : 3.03
ProductName : IBM PS/2 TrackPoint Support
CompanyName : IBM Corporation
FileDescription : IBM PS/2 TrackPoint Daemon
InternalName : daemon.exe
LegalCopyright : Copyright © IBM Corporation 1997-2001
OriginalFilename : daemon.exe

#:28 [ltmsg.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1300
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal
FileVersion : 1, 0, 1, 12
ProductVersion : 1, 0, 1, 12
ProductName : LUCENT TECHNOLOGIES ltmsg
CompanyName : LUCENT TECHNOLOGIES
FileDescription : ltmsg
InternalName : ltmsg
LegalCopyright : Copyright © 1999
OriginalFilename : ltmsg.exe
Comments : Messaging application for Lucent Modem

#:29 [tphkmgr.exe]
FilePath : C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\
ProcessID : 1308
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal


#:30 [s3tray2.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1324
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal
FileVersion : 1.00.14-1105
ProductVersion : 1.00.14-1105
ProductName : S3 Graphics Utilities
CompanyName : S3 Graphics, Inc.
FileDescription : s3contrl
InternalName : s3contrl
LegalCopyright : Copyright © 2001 S3 Graphics, Inc.
LegalTrademarks : S3 is a registered trademark of S3 Incorporated
OriginalFilename : s3contrl.exe

#:31 [prpcui.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1336
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal
FileVersion : 2.1.0.0
ProductVersion : 2.1.0.0
ProductName : Intel® SpeedStep™ technology applet
CompanyName : Intel Corporation
FileDescription : Intel® SpeedStep™ technology User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-2001
LegalTrademarks : Intel® SpeedStep™ technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet v2.1

#:32 [rundll32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1348
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

#:33 [triggusr.exe]
FilePath : C:\sysmgt\TNGSD\BIN\
ProcessID : 1364
ThreadCreationTime : 06-12-2004 02:28:10
BasePriority : Normal


#:34 [naimag32.exe]
FilePath : C:\Program Files\ePOAgent\
ProcessID : 1312
ThreadCreationTime : 06-12-2004 02:28:11
BasePriority : Normal
FileVersion : 2.5.1.252
ProductName : ePolicy Orchestrator
CompanyName : Network Associates, Inc.
FileDescription : NAI ePolicy Orchestrator Agent GUI
InternalName : naimag32
LegalCopyright : Copyright© 2000-2002 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : naimag32.exe

#:35 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1220
ThreadCreationTime : 06-12-2004 02:28:11
BasePriority : Normal
FileVersion : 0.1.0.2879
ProductVersion : 0.1.0.2879
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2003
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:36 [aoldial.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1388
ThreadCreationTime : 06-12-2004 02:28:12
BasePriority : Normal
FileVersion : 2.0.20.1.UK.223
ProductVersion : 2.0.20.1.UK.223
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:37 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1396
ThreadCreationTime : 06-12-2004 02:28:12
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:38 [bpcable.exe]
FilePath : C:\Program Files\Telstra\Cable Login\
ProcessID : 1412
ThreadCreationTime : 06-12-2004 02:28:13
BasePriority : Normal
FileVersion : Version 1.1
ProductVersion : Version 1.1
ProductName : BigPond Broadband Cable Login
CompanyName : Telstra
FileDescription : BigPond Broadband Cable Login
InternalName : bpcable
LegalCopyright : Copyright © Telstra Corporation Limited 2003, 2004.
OriginalFilename : bpcable.exe

#:39 [paint.exe]
FilePath : C:\WINNT\
ProcessID : 1432
ThreadCreationTime : 06-12-2004 02:28:14
BasePriority : Normal


#:40 [msdos32.exe]
FilePath : C:\WINNT\
ProcessID : 1440
ThreadCreationTime : 06-12-2004 02:28:14
BasePriority : Normal


#:41 [windrar.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1448
ThreadCreationTime : 06-12-2004 02:28:15
BasePriority : Normal


#:42 [site.exe]
FilePath : C:\WINNT\
ProcessID : 1468
ThreadCreationTime : 06-12-2004 02:28:15
BasePriority : Normal


#:43 [gam.exe]
FilePath : C:\WINNT\
ProcessID : 1476
ThreadCreationTime : 06-12-2004 02:28:16
BasePriority : Normal


#:44 [gpb2.exe]
FilePath : C:\
ProcessID : 1488
ThreadCreationTime : 06-12-2004 02:28:16
BasePriority : Normal


#:45 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ProcessID : 1504
ThreadCreationTime : 06-12-2004 02:28:17
BasePriority : Normal
FileVersion : 5, 0, 0, 2
ProductVersion : 5, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc.
OriginalFilename : mcagent.exe

#:46 [msscli.exe]
FilePath : C:\Program Files\McAfee\McAfee AntiSpyware\
ProcessID : 1520
ThreadCreationTime : 06-12-2004 02:28:18
BasePriority : Normal
FileVersion : 1.00.1117.0
ProductVersion : 1.00.1117.0
ProductName : McAfee AntiSpyware
CompanyName : Network Associates, Inc.
FileDescription : McAfee AntiSpyware RealTime Client
InternalName : MssCli.exe
LegalCopyright : Copyright © 2004 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : MssCli.exe

#:47 [dieset.exe]
FilePath : C:\WINNT\
ProcessID : 1536
ThreadCreationTime : 06-12-2004 02:28:18
BasePriority : Normal


#:48 [systemconfig.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1584
ThreadCreationTime : 06-12-2004 02:28:21
BasePriority : Normal


#:49 [msgrsv32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1604
ThreadCreationTime : 06-12-2004 02:28:21
BasePriority : Normal


#:50 [svhost33.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1624
ThreadCreationTime : 06-12-2004 02:28:23
BasePriority : Normal


#:51 [bsc32.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1656
ThreadCreationTime : 06-12-2004 02:28:25
BasePriority : Normal


#:52 [internat.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1700
ThreadCreationTime : 06-12-2004 02:28:27
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Keyboard Language Indicator Applet
InternalName : INTERNAT
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE

#:53 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 4.0\Distillr\
ProcessID : 1376
ThreadCreationTime : 06-12-2004 02:28:31
BasePriority : Normal


#:54 [aoltray.exe]
FilePath : C:\Program Files\AOL 9.0\
ProcessID : 1856
ThreadCreationTime : 06-12-2004 02:28:32
BasePriority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright © America Online, Inc. 1999 - 2004

#:55 [hpomau08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 1644
ThreadCreationTime : 06-12-2004 02:28:37
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOMAU08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOMAU08.EXE
Comments : HP OfficeJet <Maui> Series COM Device Objects

#:56 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 1672
ThreadCreationTime : 06-12-2004 02:28:38
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Hewlett-Packard hpotdd01
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
LegalCopyright : Copyright © 2002
OriginalFilename : hpotdd01.exe

#:57 [sonytray.exe]
FilePath : C:\Program Files\Sony Corporation\Image Transfer\
ProcessID : 2008
ThreadCreationTime : 06-12-2004 02:28:38
BasePriority : Normal


#:58 [calcheck.exe]
FilePath : C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\
ProcessID : 1984
ThreadCreationTime : 06-12-2004 02:28:40
BasePriority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : Calendar Checker Application
CompanyName : Ulead Systems, Inc.
FileDescription : Photo Express -- Calendar Checker
InternalName : CalCheck
LegalCopyright : Copyright © 1992-1999.Ulead Systems, Inc.
LegalTrademarks : Ulead Systems, MediaStudio, PhotoImpact and Photo Express are registered trademarks of Ulead Systems, Inc.
OriginalFilename : CalCheck.EXE

#:59 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2056
ThreadCreationTime : 06-12-2004 02:28:45
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOEVM08.EXE
Comments : HP OfficeJet COM Event Manager

#:60 [hpzipm12.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1736
ThreadCreationTime : 06-12-2004 02:29:55
BasePriority : Normal
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:61 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 1152
ThreadCreationTime : 06-12-2004 02:30:07
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOSTS08.EXE
Comments : HP OfficeJet Status

#:62 [hpofxm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ProcessID : 1712
ThreadCreationTime : 06-12-2004 02:30:08
BasePriority : Normal
FileVersion : 4.2.0.020
ProductVersion : 2.4.1.020
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP AiO Fax Manager
InternalName : HPOFXM08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOFXM08.EXE
Comments : HP AiO Fax Manager

#:63 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Professional\
ProcessID : 3248
ThreadCreationTime : 06-12-2004 02:36:02
BasePriority : Normal
FileVersion : 6.2.0.208
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 29


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc}

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\avenue media

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : TargetDir

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : CLS

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : RID

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : Version

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : TAC

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : ServerVisited

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : UpdateInterval

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : ID

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : InstallT

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : remember[LLT]

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : Conn

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : 403

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : 404

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : 410

DyFuCA Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media\internet optimizer
Value : 500

DyFuCA Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\avenue media

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0e9db3ab-d16a-47cf-b59a-f74d649bea5b}

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3dbbf8b7-a97c-4a92-8d27-d29222e6b60f}

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3dbbf8b7-a97c-4a92-8d27-d29222e6b60f}
Value :

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : fwn.isubclass

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : fwn.isubclass
Value :

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : fwn.fwntoolbar

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : fwn.fwntoolbar
Value :

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3d156636-3f7e-46c9-9ac1-5e4d8202aa23}

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3d156636-3f7e-46c9-9ac1-5e4d8202aa23}
Value :

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3d0bdab3-12f4-471c-8966-e35a2c6c7de7}

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3d0bdab3-12f4-471c-8966-e35a2c6c7de7}
Value :

FindWhateverNow Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ea9d65a3-8fa2-433e-9caf-68c6e43555af}

FindWhateverNow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ea9d65a3-8fa2-433e-9caf-68c6e43555af}
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj.1

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj.1
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : ysb.ysbobj
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}
Value :

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist
Value : InstallDate

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist
Value : account_id

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist
Value : config

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\ist
Value : Recover

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-118315151-717182974-2099212325-1710\software\ist

istbar Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-118315151-717182974-2099212325-1710\software\ist
Value : NeverISTsvc

istbar Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .DEFAULT\software\istbar

SideFind Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : Default Visible

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : ButtonText

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : HotIcon

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : Icon

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : CLSID

SideFind Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{10e42047-deb9-4535-a118-b3f6ec39b807}
Value : BandCLSID

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : browserhelperobject.bahelper

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : browserhelperobject.bahelper
Value :

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : browserhelperobject.bahelper.1

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : browserhelperobject.bahelper.1
Value :

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}
Value :

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sidefind.finder

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sidefind.finder
Value :

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sidefind.finder.1

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : sidefind.finder.1
Value :

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{d0288a41-9855-4a9b-8316-babe243648da}

SideFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\sidefind

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\sidefind
Value : webautosearch

SideFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : so

#10 Indrid_Cold

Indrid_Cold

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:09 AM

Posted 06 December 2004 - 02:43 AM

Well done!

You should now try those on-line scans that you were unable to do previously. You have a lot of malware in that log and whatever can be auto cleaned is a bonus.

Remember to reboot after each scan.

Then:
Post a fresh log so I can see what is still left to do.
Hope is not a method.

ASAP Proud member since 2004
Alliance of Security Analysis Professionals




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users