Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HIJSCKTHISLOG-chriscross


  • Please log in to reply
26 replies to this topic

#1 chriscross

chriscross

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 08 January 2005 - 06:50 PM

HI guys,
I need your help and Thanks in advance! I am trying to get my mom's computer running correctly,
but I am just a simple carpenter and this thing has very few wooden parts. This system is plagued
by popups and hijacking, it runs very slow and has no help feature, It displays Cannot open the file:%systemroot%\help\windows.chm ,the desktop is corrupt as well.
I have updated all the critical updates, and have run adware,spybot1.3, panda online scanner,and avast.
I was at SECURITY-FORUMS but they are having technical difficulty. Groovicus recommended I come here.
he said it was their home away from home and Meeeeeeeee could help me. When I start the computer I get these
messages: C:\WINDOWS\StartMenu\Program\StartUp\PowerReg Scheduler.exe is not a valid Win 32 application.
and Error loading C:\PROGRA~1\WILDTA~!\APPS\CDA\CDAENG~1.DLL The system cannot find path specified, and It informs me that I have uninstalled a part
of Kazaa Media Desktop that is needed to run Please reinstall Kazza Media Descktop from www.Kazza.com..
Please Help I am afraid I am making things worse! I don't even know how to type! I have no cd backup and cannot seem to figure out how to do it from the files. Before I ran the hijackthis i saved all the files
but when I apply this I go back to square one ,without "help" and with a corrupt desktop? Also spybot does not finish, it says Error during check! Winpup32[Ungultiger Datentype fur"] DSO Exploit. And Finally
if and when I am told to delete something, should I delete it from the regestry as well.
Thanks, Chris
Logfile of HijackThis v1.99.0
Scan saved at 5:43:40 PM, on 1/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 08 January 2005 - 10:44 PM

Hello Chriscross,

Your system is quite a mess, and it may not be able to be cleaned up. :flowers:

I can give it my best shot, but no guarentees.

First, have you already begun to delete items with Hijackthis?

-----------------------------------------------------------------------

It looks like you ran Hijackthis in the Safe Mode, as many of your running processes are missing from you log.

Please run it in the Normal Mode and submit the log after you have completed the stuff below.
You should see about twenty running processes in your log.
-----------------------------------------------------------------------

The DSO Exploit is a security gap in IE. Microsoft did already repair this, so if you have all Windows updates and patches installed, it will not be dangerous for your system.

Download and run Search and Destroy DSO Exploit Fix 1.3.1 TX.
http://www.majorgeeks.com/download4392.html

SpyBot-Search & Destroy 1.3 MUST be installed before this update to work properly

Let it fix everything it finds.

-----------------------------------------------------------------------

After you have run Spybot 1.3, then run Adaware SE in the Safe mode with a Full Scan.

Here is how you do that:

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows.  Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.  When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.


-----------------------------------------------------------------------

I see you have KAZAA and P2P Networking installed. :thumbsup:

Before we can continue, you need to go to Add/Remove Programs and uninstall KAZAA and P2P Networking, if found.
These applications are probably the #1 way malware is installed on and spread to your system.

-----------------------------------------------------------------------

After you have done the above, reboot and submit another Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 09:49 AM

First, thanks a bunch for the help! Yes,
I have deleted stuff from the HLT log :thumbsup:. I saved all the files
first, if that helps any, I guess some stuff doesn't come back.
I am having a time completly removing Kazaa, I tried Kazaa begone
after I did all I could but it said ERROR not a valid Dr. Watson File ?
I think I got most of it though.
I have done all you said< here is my new HJT log:
Logfile of HijackThis v1.99.0
Scan saved at 8:58:16 AM, on 1/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy3\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 10:37 AM

Hello Chriscross,

Since I am coming in late on this and you have been been deleting items from your log, fixing your computer maybe impossible. :thumbsup: But I will see what I can do.
If you delete items that Hijackthis shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself. If you are do not have advanced knowledge about computers you should NOT fix entries using HijackThis.

********************************************************
Go to Add/Remove Programs thru Control Panel.
Uninstall the following if they exist:
WildTangent CDA
WildTangent
MYBAR
ISTBAR


********************************************************

Please boot into safe mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

How to Reboot into Safe Mode 
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)


********************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show
hidden files and folders
' and deselect 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:
C:\PROGRAM FILES\MYWAY\ <===folder
C:\PROGRAM FILES\KAZAA\ <===folder
C:\Program Files\ISTsvc\ <===folder
C:\MXQMWH.EXE <===file
C:\PROGRA~1\WILDTA~1\ <===folder

********************************************************

Download CCleaner from this site:
http://www.ccleaner.com/
open the program, click on the Windows Tab, and click on Run Cleaner.

********************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 11:57 AM

MY WAY-deleted
MXQMWH.EXE-deleted
The rest of the files are not there.
Wild Tangent-removed
The rest of the programs are not there.
Is the program MY SEARCH BAR=MY BAR?
I have not deleted it yet.
CRAP cleaner done, I was full of CRAP! lol
I deleted the stuff from HJT, some is still there?
Thanks again, Chris :thumbsup:
Logfile of HijackThis v1.99.0
Scan saved at 11:12:56 AM, on 1/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy3\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 02:25 PM

Is the program MY SEARCH BAR=MY BAR?


Yes, uninstall it.
************************************************
You still have a nasty Istbar on your computer.
Download Adware.Istbar Removal Tool at
http://sarc.com/avcenter/venc/data/adware.istbar.html

Follow the instructions for running the tool,
Then run Symantec Virus Check at http://security.symantec.com/sscv6/default...id=ie&venid=sym

************************************************

Please boot into safe mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.

How to Reboot into Safe Mode 
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)



************************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:

C:\Program Files\ISTsvc\ <==folder

************************************************

Run the CCleaner.

************************************************

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 05:40 PM

WoW! The IST BAR REMOVAL TOOL said I had no IST BAR. I followed the path for manual deletion
from the registry: HKey_Local_Machine\software\microsoft\windows\current version\run and in the
right pane there was no "c:\Program Files\ISTsvc\ISTsvc.exe. There is however, the TWO lines with
the funny symbols followed by MXQMWH.EXE. I did not touch them.
The Symantec virus scanner said I had no virus.
When I press the remove button to delete My Seach Bar a blank page pops up entitled
res://C:\PROGRA~1MYWAY\MYBAR\1.BIN\mybar.dll/101 and when I close it the My Search Bar
is still there.
IN the program files I could not find any ISTsvc folder, I looked forever, no luck.
And the HJT log stays the same after the fix, send me to the registry maybe?
Maybe the adware cleaned it up ? Computer is still acting funny. But its getting better,
The auto dialer is gone. Thanks again!
Chris
Logfile of HijackThis v1.99.0
Scan saved at 4:38:04 PM, on 1/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy3\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [0 44}5]C:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [0+]m*aiC:\Program Files\ISTsvc\istsvc.exe] C:\MXQMWH.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 06:55 PM

Please post the logs from your Adaware SE and Spybot 1.3 last scan, as I need to check some of the running processes.

You can get the log by opening Spybot 1.3> select Mode> Advanced > Tools> View Report> copy and paste the report to your reply.

The fastest way to get the Adaware SE log is to navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs.

Open this folder and find the correct log.
The logs are named "Ad-Aware-log ##-##-##.txt (the #'s will be the date of the scan). Highlight all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Now be online, logged in and ready to post your logfile.
Press Ctl and V and that will copy your logfile to the post!

**************************************************

If you cannot find the Adaware Log file by the above method then you will have to run it to get the log.

Open Adaware SE,

1) Run the WebUpdate feature.

2) Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Advanced Button
Logfile Detail Level:
All options under this should be checked (Green).

Tweak Button
Check (Green) the following:
Log Files
Include basic Ad-Aware settings in logfile:
Include additional Ad-Aware settings in logfile:
Please do not check (Green): Include Module list in logfile:

Click on "Proceed"

3) Click on "Scan Now"

4) Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

5) Run the scanner using the Full Scan (Perform full system scan) mode.
A full scan is the in-depth scan mode that scans your whole computer for Spyware infections. When performing a full scan the following scan settings are used:

- Full Memory Scan is performed
- Registry Scan is performed
- Deep Registry scan is performed
- Cookie-Scan is performed
- Favorites are scanned
- Hosts file is scanned
- Conditional scans are performed
- Archive files are scaned
- All fixed drives are scanned

6) When the scan has completed, do not quarantine or remove anything at this time.
Start your own topic in the appropriate forum.
Click "Show Logfile".
Copy/paste the complete log file in your own topic that you just created.
Remember to post the complete logfile.
You will know you are at the end when you see the "Summary of this scan".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 07:26 PM

spybot:

--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2005-01-04 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2005-01-04 Includes\Trojans.sbi
2004-05-12 Includes\LSP.sbi
2004-11-29 Includes\Tracks.uti


--- System information ---
Windows 98 (Build: 2222) A
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Microsoft Data Access Components KB870669
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update Q308567


--- Startup entries list ---
Located: HK_LM:Run, 0 44}5]C:\Program Files\ISTsvc\istsvc.exe
command: C:\MXQMWH.EXE

Located: HK_LM:Run, 0+]m*aiC:\Program Files\ISTsvc\istsvc.exe
command: C:\MXQMWH.EXE

Located: HK_LM:Run, ashMaiSv
command: C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
file: C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
size: 233520
MD5: 8f5439b8712536808b38624da507998b

Located: HK_LM:Run, Ati2cwxx
command: Ati2cwxx.exe
file: C:\WINDOWS\SYSTEM\Ati2cwxx.exe
size: 21504
MD5: 79082c66877737ffe3c40f20a03a9f8a

Located: HK_LM:Run, AtiGart
command: c:\Ati\Gart\AtiGart.exe
file: c:\Ati\Gart\AtiGart.exe
size: 41472
MD5: c8412ca783f9a5c106c5792a9d10ffea

Located: HK_LM:Run, ATIPOLAB
command: ati2plab.exe
file: C:\WINDOWS\SYSTEM\ati2plab.exe
size: 52736
MD5: 35e49a496c5719ff9e1832c8f49a15f4

Located: HK_LM:Run, AtiPTA
command: Atiptaab.exe
file: C:\WINDOWS\SYSTEM\Atiptaab.exe
size: 219648
MD5: 87a32d44f312e36b841e8e1ac3f559e2

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:Run, OEMCleanup
command: C:\WINDOWS\OPTIONS\OEMRESET.EXE

Located: HK_LM:Run, RealTray
command: C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

Located: HK_LM:Run, ScanRegistry
command: c:\windows\scanregw.exe /autorun
file: c:\windows\scanregw.exe
size: 86016
MD5: f123231689e2ab2fa5c636b99314501f

Located: HK_LM:Run, StillImageMonitor
command: C:\WINDOWS\SYSTEM\STIMON.EXE
file: C:\WINDOWS\SYSTEM\STIMON.EXE
size: 114688
MD5: 3a395315c2d9e63c0ce4704afa404ffa

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 32768
MD5: 73681085dcd0997e531240100ca12b28

Located: HK_LM:Run, TaskMonitor
command: c:\windows\taskmon.exe
file: c:\windows\taskmon.exe
size: 28672
MD5: f795110611101279aa15997801abaca0

Located: HK_LM:Run, WinampAgent
command: "C:\Program Files\Winamp3\winampa.exe"
file: C:\Program Files\Winamp3\winampa.exe
size: 12288
MD5: 6bf81517c708f53b8e22eb624ee3723a

Located: HK_LM:RunServices, avast!
command: C:\Program Files\Alwil Software\Avast4\ashServ.exe
file: C:\Program Files\Alwil Software\Avast4\ashServ.exe
size: 86064
MD5: d2c1c5a59284846362fec113b6b16415

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:RunServices, SchedulingAgent
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 111888
MD5: e2460018cb7c7d185b6278f7c1770151

Located: HK_CU:Run, AIM
command: C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

Located: HK_CU:Run, a-squared
command: "C:\Program Files\a2\a2guard.exe"
file: C:\Program Files\a2\a2guard.exe
size: 572416
MD5: 811f7dfe1bdaa28fc27926cee3ae92a1

Located: HK_CU:Run, Weather
command: C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1

Located: Startup (user), America Online 7.0 Tray Icon.lnk
command: C:\Program Files\America Online 7.0\aoltray.exe
file: C:\Program Files\America Online 7.0\aoltray.exe
size: 32842
MD5: c2650a5ffe7bacfb3abb3ddfaf190c2c

Located: Startup (user), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a



--- Browser helper object list ---
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy3\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 5/12/04 1:03:00 AM
Date (last access): 1/9/05
Date (last write): 5/12/04 1:03:00 AM
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3



--- ActiveX list ---
{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name:
CLSID name: Update Class
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: iuctl.dll
Short name: IUCTL.DLL
Date (created): 8/21/03 4:47:54 PM
Date (last access): 1/9/05
Date (last write): 8/21/03 4:47:54 PM
Filesize: 162400
Attributes:
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 0.5.0.3

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: asinst.dll
Short name: ASINST.DLL
Date (created): 11/30/04 1:59:10 PM
Date (last access): 1/9/05
Date (last write): 11/30/04 1:59:10 PM
Filesize: 110592
Attributes:
MD5: 12B2C141F037D7833452DDD5AF1EB5C6
CRC32: 2B10119C
Version: 0.56.0.2

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
DPF name:
CLSID name: Symantec RuFSI Utility Class
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: rufsi.dll
Short name: RUFSI.DLL
Date (created): 10/26/04 6:14:18 PM
Date (last access): 1/9/05
Date (last write): 10/26/04 6:14:18 PM
Filesize: 160928
Attributes:
MD5: 7FC8A8D89A80ED7443F00C31AEDAC9A9
CRC32: 3EC34C3D
Version: 7.212.0.6

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
DPF name:
CLSID name: Symantec AntiVirus scanner
description: Symantec online scanner
classification: Legitimate
known filename: AVSNIFF.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: avsniff.dll
Short name: AVSNIFF.DLL
Date (created): 10/26/04 6:14:08 PM
Date (last access): 1/9/05
Date (last write): 10/26/04 6:14:08 PM
Filesize: 197760
Attributes:
MD5: 8C505A352CE49B8BB0822D67EF8892E6
CRC32: 6768F662
Version: 7.212.0.6



--- Process list ---
Spybot - Search && Destroy process list report, 1/9/05 6:23:15 PM

PID: 4279205941 (2123321821) C:\WINDOWS\SYSTEM\KERNEL32.DLL
PID: 4294054857 (4294578565) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
PID: 4294183289 (4294372221) C:\WINDOWS\SYSTEM\TAPISRV.EXE
PID: 4294244957 (4294372221) C:\WINDOWS\SYSTEM\RNAAPP.EXE
PID: 4294357973 (4294712201) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY3\SPYBOTSD.EXE
PID: 4294372221 (4294429157) C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
PID: 4294390973 (4294372221) C:\WINDOWS\SYSTEM\SPOOL32.EXE
PID: 4294497917 (4294578565) C:\WINDOWS\SYSTEM\DDHELP.EXE
PID: 4294560661 (4294648201) C:\WINDOWS\SYSTEM\WMIEXE.EXE
PID: 4294593121 (4294712201) C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
PID: 4294597185 (4294712201) C:\WINDOWS\SYSTEM\STIMON.EXE
PID: 4294604421 (4294712201) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
PID: 4294625637 (4294712201) C:\PROGRAM FILES\A2\A2GUARD.EXE
PID: 4294639081 (4294712201) C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
PID: 4294646585 (4294712201) C:\WINDOWS\TASKMON.EXE
PID: 4294648201 (4294712201) C:\WINDOWS\SYSTEM\SYSTRAY.EXE
PID: 4294673009 (4294712201) C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
PID: 4294681005 (4294712201) C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
PID: 4294692785 (4294712201) C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
PID: 4294703449 (4294712201) C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
PID: 4294712201 (4294857865) C:\WINDOWS\EXPLORER.EXE
PID: 4294808609 (4294841605) C:\WINDOWS\SYSTEM\RPCSS.EXE
PID: 4294841605 (4294853401) C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
PID: 4294853401 (4294857865) C:\WINDOWS\SYSTEM\MPREXE.EXE
PID: 4294857865 (4279205941) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
PID: 4294867721 (4294857865) C:\WINDOWS\SYSTEM\mmtask.tsk
PID: 4294891549 (4294853401) C:\WINDOWS\SYSTEM\MSTASK.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/9/05 6:23:15 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://ie.search.msn.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
c:\windows\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x*Grinler name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\msafd.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: c:\windows\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: c:\windows\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x*Grinler network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: c:\windows\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x*Grinler name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.

ad-aware:

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, January 09, 2005 1:24:36 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R24 29.12.2004


References detected during the scan:

MRU List(TAC index:0):3 total references
Tracking Cookie(TAC index:3):1 total references


Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R24 29.12.2004
Internal build : 29
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 416382 Bytes
Total size : 1313453 Bytes
Signature data size : 1283765 Bytes
Reference data size : 29176 Bytes
Signatures total : 36484
Fingerprints total : 610
Fingerprints size : 23044 Bytes
Target categories : 15
Target families : 633


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:5 %
Total physical memory:130524 kb
Available physical memory:7760 kb
Total page file size:1966624 kb
Available on page file:1818920 kb
Total virtual memory:2093056 kb
Available virtual memory:2045952 kb
OS:Microsoft Windows 98 SE

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-9-05 1:24:36 PM - Scan started. (Custom mode)

Listing running processes


#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4279235835
Threads : 6
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294844487
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294850519
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294840099
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:5 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294880467
Threads : 2
Priority : Normal
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
ProductName : Microsoft Windows Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:6 [ASHSERV.EXE]
ModuleName : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
Command Line : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
ProcessID : 4294861259
Threads : 25
Priority : Normal
FileVersion : 4, 5, 536, 0
ProductVersion : 4, 5, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright © 2003 ALWIL Software
OriginalFilename : aswServ.exe

#:7 [KPF4SS.EXE]
ModuleName : C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
Command Line : "c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"
ProcessID : 4294887823
Threads : 12
Priority : Normal
FileVersion : 4.1.2
ProductVersion : 4.1.2
ProductName : Kerio Personal Firewall 4
CompanyName : Kerio Technologies
FileDescription : Kerio Personal Firewall 4 - Service
InternalName : kpf4ss
LegalCopyright : Copyright © 1997-2004 Kerio Technologies
OriginalFilename : kpf4ss.EXE
Comments : Kerio Personal Firewall 4 - Service

#:8 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4294715707
Threads : 16
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:9 [RPCSS.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RPCSS.EXE
Command Line : RPCSS
ProcessID : 4294746495
Threads : 5
Priority : Normal
FileVersion : 4.71.2900
ProductVersion : 4.71.2900
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:10 [KPF4GUI.EXE]
ModuleName : C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
Command Line : "C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\kpf4gui.exe" -g 10
ProcessID : 4294743103
Threads : 6
Priority : Normal
FileVersion : 4.1.2
ProductVersion : 4.1.2
ProductName : Kerio Personal Firewall 4
CompanyName : Kerio Technologies
FileDescription : Kerio Personal Firewall 4 - GUI
InternalName : kpf4gui
LegalCopyright : Copyright © 1997-2004 Kerio Technologies
OriginalFilename : kpf4gui.EXE
Comments : Kerio Personal Firewall 4 - GUI

#:11 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\windows\taskmon.exe"
ProcessID : 4294582947
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:12 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4294590055
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE

#:13 [ATI2PLAB.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
Command Line : "C:\WINDOWS\SYSTEM\ati2plab.exe"
ProcessID : 4294602727
Threads : 1
Priority : Normal
FileVersion : 4.00.1381.1024
ProductVersion : 4.00.1381.1024
ProductName : ATI Polling Program for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI2PLAB Polling Program
InternalName : ati2plab.exe
LegalCopyright : Copyright 1999 ATI Technologies Inc.
OriginalFilename : ati2plab.exe

#:14 [ATIPTAAB.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
Command Line : "C:\WINDOWS\SYSTEM\Atiptaab.exe"
ProcessID : 4294591259
Threads : 1
Priority : Normal
FileVersion : 4.11.2434
ProductName : ATI Technologies, Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Task Icon
InternalName : ATIPDSXX
LegalCopyright : Copyright ATI Technologies Inc. 1999
OriginalFilename : ATIPTAXX.DLL

#:15 [ATI2CWXX.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
Command Line : "C:\WINDOWS\SYSTEM\Ati2cwxx.exe"
ProcessID : 4294596099
Threads : 2
Priority : Normal
FileVersion : 4.11.1002
ProductVersion : 4.11.1002
ProductName : ATI CWDDE 32-Bit Callback
CompanyName : ATI Technologies Inc.
FileDescription : ATI Common Windows Display Driver Extension
InternalName : ATI2CWXX
LegalCopyright : Copyright ATI Technologies Inc., 1999
OriginalFilename : ATI2CWXX.EXE

#:16 [REALPLAY.EXE]
ModuleName : C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
ProcessID : 4294598395
Threads : 6
Priority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:17 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : "C:\WINDOWS\SYSTEM\STIMON.EXE"
ProcessID : 4294622831
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1998
OriginalFilename : STIMON.EXE

#:18 [WINAMPA.EXE]
ModuleName : C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
Command Line : "C:\Program Files\Winamp3\winampa.exe"
ProcessID : 4294611707
Threads : 1
Priority : Normal


#:19 [ASHMAISV.EXE]
ModuleName : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
Command Line : "C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe"
ProcessID : 4294633411
Threads : 6
Priority : Normal


#:20 [AIM.EXE]
ModuleName : C:\PROGRAM FILES\AIM\AIM.EXE
Command Line : "C:\PROGRAM FILES\AIM\aim.exe" -cnetwait.odl
ProcessID : 4294638923
Threads : 3
Priority : Normal
FileVersion : 5.9.3690
ProductVersion : 5.9.3690
ProductName : AOL Instant Messenger
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
LegalCopyright : Copyright 1996-2004 America Online, Inc.
OriginalFilename : AIM.EXE

#:21 [A2GUARD.EXE]
ModuleName : C:\PROGRAM FILES\A2\A2GUARD.EXE
Command Line : "C:\Program Files\a2\a2guard.exe"
ProcessID : 4294512739
Threads : 2
Priority : Normal


#:22 [WEATHER.EXE]
ModuleName : C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
Command Line : "C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE" 1
ProcessID : 4294583971
Threads : 4
Priority : Normal
FileVersion : 6, 4, 0, 9
ProductVersion : 6, 4, 0, 9
ProductName : WeatherBug
CompanyName : AWS Convergence Technologies, Inc.
FileDescription : WeatherBug
InternalName : Desktop Weather
LegalCopyright : Copyright 2001-2004
LegalTrademarks : WeatherBug
OriginalFilename : Weather.exe
Comments : World Largest Weather Network

#:23 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe 64
ProcessID : 4294556423
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:24 [DDHELP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\DDHELP.EXE
Command Line : ddhelp.exe
ProcessID : 4294504771
Threads : 3
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft DirectX for Windows
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:25 [WINMGMT.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
Command Line : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE -Embedding
ProcessID : 4294331931
Threads : 3
Priority : Normal
FileVersion : 1.10.698.0000
ProductVersion : 1.10.698.0000
ProductName : WBEM SDK
CompanyName : Microsoft Corporation
FileDescription : WBEM SDK
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corporation 1995-1998
OriginalFilename : WINMGMT.EXE

#:26 [RNAAPP.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RNAAPP.EXE
Command Line : n/a
ProcessID : 4294303011
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:27 [TAPISRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TAPISRV.EXE
Command Line : n/a
ProcessID : 4294306151
Threads : 5
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:28 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4294228687
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:

New critical objects: 0
Objects found so far: 0


Started registry scan


Registry Scan result:

New critical objects: 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan



Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bhines1022@2o7[2].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:bhines1022@2o7.net/
Expires : 1-8-10 1:53:08 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:

New critical objects: 1
Objects found so far: 4



Deep scanning and examining files (C:)


Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\AOL Instant Messenger\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\aolextras\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\ATI\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\BACKUP\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Documents And Settings\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Install CompuServe2000\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Install ICQ\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Install Spinner\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Install Winamp\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\My Documents\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\My Music\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Program Files\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\RECYCLED\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\SCANJET\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\sj655\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\WINDOWS\

New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\WUTemp\

New critical objects: 0
Objects found so far: 4


Performing conditional scans...


Conditional scan result:

New critical objects: 0
Objects found so far: 4

1:37:27 PM Scan Complete

Summary Of This Scan

Total scanning time:00:12:51.540
Objects scanned:79919
Objects identified:1
Objects ignored:0
New critical objects:1

Thanks a zillion!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 09:06 PM

Looks like we have a stubborn malware file. :thumbsup:

First, lets make sure we have all the malware uninstalled.

Uninstall 'My Search Bar' (MySearch variant),
'MyWay Speed Bar' (MyWay) or 'My Web Search Bar' (MyWeb) entry and click 'Remove'.
For the MyWeb variant, be sure to also remove 'Fun Web Products Easy Installer' if they are there

You can then reset your home page (Internet Options->General->Start Page) if it has been changed, and search settings (Internet Options->Programs->Reset web settings).


*******************************************************

Download killbox http://www.bleepingcomputer.com/files/killbox.php
Unzip the downloaded file to your desktop.

Navigate to the killbox folder now on your desktop and double-click on Killbox.exe

Select the Delete on reboot option

In the Full path of file to delete field copy and paste the following into the field:

C:\MXQMWH.EXE

Now press the button that looks like a red circle with a white X in it.

When it asks if you would like to continue and reboot, press the NO button.

In the Full path of file to delete field copy and paste the following into the field:

C:\Program Files\ISTsvc\istsvc.exe

Now press the button that looks like a red circle with a white X in it.

This time when it asks you to reboot, press the Yes button.


Reboot and post a new Hijackthis log.

Edited by SifuMike, 09 January 2005 - 09:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 09:30 PM

SifuMike,

How do I uninstall my search bar?

When I go to control panel>add/remove programs, click on My Search Bar. click remove a blank window opens with the header: res://C:\PROGRA~1MYWAY\MYBAR\1.BIN\mybar.dll/101 .When I close this window ( that is all it will let me do ), My Search Bar is still there. I have tried over and over. :thumbsup: I can not open the killbox, I get a message that informs me that it is not a valid Dr watson file? lol because it beats crying!
CHRIS

Edited by chriscross, 09 January 2005 - 09:41 PM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 09:51 PM

Delete the Folder that is Highlighted:

(You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete the Folder)

C:\Program Files\MyWay\ <== folder
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 10:17 PM

SifuMike,

I can not find anything in my files pertaining to My Bar, I did however stumble across a monster file labled backup20050109-101415-395.dll its huge and written in java, I scrolled through and at the end it had some strange English referring to Why delete my bar its good for you blablabla? I think this is it . Yes this is it, I don't no how to read code,but this sh*t is interesting, you should see it, I think it says that if it is removed it will crash my computer!
Chris

Edited by chriscross, 09 January 2005 - 10:25 PM.


#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:04 AM

Posted 09 January 2005 - 10:40 PM

Try this for deleting those two files.

Boot to the Safe Mode.
Open Hijackthis, select Config>Misc Tools>Delete on Reboot> Navigate to the file C:\MXQMWH.EXE and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the No button and enter other file, C:\Program Files\ISTsvc\istsvc.exe. Then click the Yes button to reboot now.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 chriscross

chriscross
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:maryland U.S.A.
  • Local time:01:04 PM

Posted 09 January 2005 - 11:32 PM

First I apologize for my ignorance and thanks for your patience. I realize now that the numbered file I referred to in my last post is from my own backup and it probably refers to my real search bar. I went into safe mode did as you said , the bar for Delete on Reboot is not activated. I tried in regular mode, not activated. I should mention that I have my HJT in My Documents with a shortcut on my desktop to HJT.exe, I don't know if that matters but I am at a loss . I really do not know my way around a computer so please speak kid talk to me. lol Maybe my Hijackthis has been hijacked, it lists about:blank as its defalt start page. My IE has this to .
Thanks,
Chris

Edited by chriscross, 10 January 2005 - 01:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users