Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help wanted


  • Please log in to reply
6 replies to this topic

#1 yorn75

yorn75

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 13 January 2005 - 01:33 AM

Can someone please help me with this one?

Spybot only find DSO exploit, Adaware found a coolwebsearch / homeoldsp and searchbar and Norman came up with Trojan: Startpage.gd

They seems to go away after removing in safe mode, but the problems still continue.

Any suggestions?

Here's my Hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 06:59:54, on 13.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programfiler\Eicon\Diva\DiTask.exe
C:\Programfiler\Eicon\Diva\Divamon.exe
C:\Programfiler\Eicon\Diva\watch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Programfiler\ScanSoft\OmniPageSE\opware32.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\WINDOWS\system32\cerf.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
G:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.start.no
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://nr6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tele2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C1E96EFF-1E83-451C-8513-C87BB8EFBD48} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DiTask.exe] "C:\Programfiler\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Programfiler\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Programfiler\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Programfiler\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programfiler\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\Run: [Perfect Process shield] C:\Programfiler\Perfect Process\ppshield.exe
O4 - HKLM\..\Run: [Microsoft Update Agent ] wupdclt32.exe
O4 - HKLM\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Agent ] wupdclt32.exe
O4 - HKLM\..\RunServices: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Programfiler\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programfiler\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\nvc\BIN\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

BC AdBot (Login to Remove)

 


#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:19 AM

Posted 14 January 2005 - 04:37 PM

Ignore the DSO explot. Your system is fully up to date, so it is only a false positive.

Also, HJT needs to be run from your root drive, ot it won't be able to save any backups. That means if we make a mistake, there will be no way to fix it. Extract it into it's own folder please. ;)

Also, disable tea-timer, or none of these fixes will work at all.
http://russelltexas.com/malware/teatimer.htm

Put a checkmark next to the following entries in HijackThis. Make sure all
other windows and browsers are closed before clicking on “Fix Checked”
.

1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.start.no
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://nr6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O4 - HKLM\..\Run: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\Run: [Perfect Process shield] C:\Programfiler\Perfect Process\ppshield.exe
O4 - HKLM\..\Run: [Microsoft Update Agent ] wupdclt32.exe
O4 - HKLM\..\Run: [Nvidia Control Panel] ncsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Agent ] wupdclt32.exe
O4 - HKLM\..\RunServices: [Advanced Internet Protocol] cerf.exe
O4 - HKLM\..\RunServices: [Nvidia Control Panel] ncsvc32.exe
O4 - HKCU\..\Run: [Nvidia Control Panel] ncsvc32.exe
O23 - Service: Security Agent - Unknown - C:\WINDOWS\system32\scagent.exe (file missing)

***********************************************************************
Boot into SAFE MODE by tapping the f8 key during boot up.

Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click"Apply to all folders"

Click "Apply" then "OK. While you still have the My Computer Window open, click on C:\. Browse to these entries and delete them:

cerf.exe
wupdclt32.exe
ncsvc32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.
************************************************************************

While you are still in safe mode, run Adaware again...you are running Adaware SE right? Make sure you have all of your AV definitions updated.

Also, if you see your desired home page in the list up above, then don't remove it. Or if you do, you can reset it when we are done.

Reboot and post a new log. :thumbsup:

#3 yorn75

yorn75
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 17 January 2005 - 03:09 AM

Thanks for your help.
Tried to do what you wrote, but couldn't find "wupdclt32.exe" and "ncsvc32.exe" (Didn't browse to every folder in c:\ but tried extended search and looked in windows\system32\ among others) Also found 3 "curf.exe-up" files (In recovery/trashcan) They appered to be txt documents (?)

Scanned with Ad-awere SE - it found nothing, but Norman antivirus came up with an warning for trojan: startpageGD

Tried security task manager, and it came up with couple of possible treats like "loge.dll" and "dva386" any idea what those my be?

Anyway - here's me latest log - left the startpages for "http://www.start.no" untouched, since it's my homepage.

Logfile of HijackThis v1.99.0
Scan saved at 08:44:34, on 17.01.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Norman\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\NORMAN\nvc\BIN\NVCSCHED.EXE
C:\NORMAN\nvc\BIN\NJEEVES.EXE
C:\windows\system\hpsysdrv.exe
C:\NORMAN\nvc\BIN\nvcoas.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\WINDOWS\System32\alg.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\NORMAN\Nvc\BIN\ZLH.EXE
C:\Programfiler\Eicon\Diva\DiTask.exe
C:\Programfiler\Eicon\Diva\Divamon.exe
C:\Programfiler\Eicon\Diva\watch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Programfiler\ScanSoft\OmniPageSE\opware32.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programfiler\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.no
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.start.no
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tele2
O2 - BHO: (no name) - {C1E96EFF-1E83-451C-8513-C87BB8EFBD48} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKLM\..\Run: [DiTask.exe] "C:\Programfiler\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Programfiler\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Programfiler\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Programfiler\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programfiler\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Omnipage] C:\Programfiler\ScanSoft\OmniPageSE\opware32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Programfiler\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.start.no
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norman API-hooking helper - Unknown - C:\NORMAN\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown - C:\NORMAN\nvc\BIN\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown - C:\Norman\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component - Norman ASA - C:\NORMAN\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler - Norman Data Defense Systems - C:\NORMAN\nvc\BIN\NVCSCHED.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:19 AM

Posted 17 January 2005 - 10:16 AM

That looks really good. can I see your Adaware SE log please? That will tell me where the last little bits of malware are hiding.

Here is how you get the Adaware SE log file:

Navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs.

Open this folder and find the correct log.
The logs are named "Ad-Aware-log ##-##-##.txt (the #'s will be the date of the scan).



#5 yorn75

yorn75
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 18 January 2005 - 01:56 AM

Here's the latest Ad-awere log


Ad-Aware SE Build 1.05
Logfile Created on:18. januar 2005 06:16:22
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R25 11.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R25 11.01.2005
Internal build : 30
File location : C:\Programfiler\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 412196 Bytes
Total size : 1300547 Bytes
Signature data size : 1270864 Bytes
Reference data size : 29171 Bytes
Signatures total : 36186
Fingerprints total : 604
Fingerprints size : 22767 Bytes
Target categories : 15
Target families : 632


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:57 %
Total physical memory:523760 kb
Available physical memory:295820 kb
Total page file size:1279724 kb
Available on page file:1096628 kb
Total virtual memory:2097024 kb
Available virtual memory:2044996 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


18.01.2005 06:16:22 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-720897496-1148942700-689279713-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-720897496-1148942700-689279713-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-720897496-1148942700-689279713-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 344
ThreadCreationTime : 18.01.2005 05:15:14
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 400
ThreadCreationTime : 18.01.2005 05:15:15
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 424
ThreadCreationTime : 18.01.2005 05:15:16
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 468
ThreadCreationTime : 18.01.2005 05:15:16
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Program for tjenester og kontroller
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 480
ThreadCreationTime : 18.01.2005 05:15:16
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 716
ThreadCreationTime : 18.01.2005 05:15:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 784
ThreadCreationTime : 18.01.2005 05:15:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 824
ThreadCreationTime : 18.01.2005 05:15:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 884
ThreadCreationTime : 18.01.2005 05:15:20
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1044
ThreadCreationTime : 18.01.2005 05:15:21
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Utforsker
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : EXPLORER.EXE

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1124
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [cisvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1216
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : cisvc.exe

#:13 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1228
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:14 [mdm.exe]
FilePath : C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\
ProcessID : 1288
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:15 [zanda.exe]
FilePath : C:\Norman\NVC\BIN\
ProcessID : 1312
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal


#:16 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1356
ThreadCreationTime : 18.01.2005 05:15:22
BasePriority : Normal
FileVersion : 6.13.10.2942
ProductVersion : 6.13.10.2942
ProductName : NVIDIA Driver Helper Service, Version 29.42
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 29.42
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:17 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1544
ThreadCreationTime : 18.01.2005 05:15:23
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:18 [hpsysdrv.exe]
FilePath : C:\windows\system\
ProcessID : 1956
ThreadCreationTime : 18.01.2005 05:15:25
BasePriority : Normal
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : hpsysdrv
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
LegalCopyright : Copyright © 1998
OriginalFilename : hpsysdrv.exe

#:19 [kbd.exe]
FilePath : C:\HP\KBD\
ProcessID : 1988
ThreadCreationTime : 18.01.2005 05:15:25
BasePriority : High


#:20 [sgtray.exe]
FilePath : C:\Programfiler\VERITAS Software\Update Manager\
ProcessID : 1996
ThreadCreationTime : 18.01.2005 05:15:25
BasePriority : Normal
FileVersion : 1.01.01a
CompanyName : VERITAS Software, Inc.
FileDescription : VERITAS Update Manager
LegalCopyright : Copyright © 2000-2002 VERITAS Software, Inc.

#:21 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 2004
ThreadCreationTime : 18.01.2005 05:15:25
BasePriority : Normal
FileVersion : 1.03.37a
CompanyName : VERITAS Software, Inc.
FileDescription : Direct Access Component
LegalCopyright : Copyright © VERITAS Software, Inc.

#:22 [zlh.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 200
ThreadCreationTime : 18.01.2005 05:15:26
BasePriority : Normal


#:23 [ditask.exe]
FilePath : C:\Programfiler\Eicon\Diva\
ProcessID : 208
ThreadCreationTime : 18.01.2005 05:15:27
BasePriority : Normal
FileVersion : 101-58
ProductVersion : 101-58
ProductName : ditask Application
CompanyName : Eicon Networks Corporation
FileDescription : ditask MFC Application
InternalName : ditask
LegalCopyright : Copyright © 1997-2001
OriginalFilename : ditask.EXE

#:24 [nymse.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 108
ThreadCreationTime : 18.01.2005 05:15:27
BasePriority : Normal


#:25 [nip.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 396
ThreadCreationTime : 18.01.2005 05:15:28
BasePriority : Normal


#:26 [divamon.exe]
FilePath : C:\Programfiler\Eicon\Diva\
ProcessID : 736
ThreadCreationTime : 18.01.2005 05:15:28
BasePriority : Normal


#:27 [watch.exe]
FilePath : C:\Programfiler\Eicon\Diva\
ProcessID : 860
ThreadCreationTime : 18.01.2005 05:15:29
BasePriority : Normal
FileVersion : 1.00.101-163
ProductVersion : 1.00.101-163
CompanyName : Eicon Networks Corporation
FileDescription : Syslog Daemon
LegalCopyright : Copyright © 2001

#:28 [cthelper.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 976
ThreadCreationTime : 18.01.2005 05:15:29
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : cthelper
CompanyName : Creative Technology Ltd
FileDescription : cthelper
InternalName : cthelper
LegalCopyright : Copyright © 2002
OriginalFilename : cthelper.exe

#:29 [hpztsb06.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 948
ThreadCreationTime : 18.01.2005 05:15:29
BasePriority : Normal
FileVersion : 2,133,0,0
ProductVersion : 2,133,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:30 [opware32.exe]
FilePath : C:\Programfiler\ScanSoft\OmniPageSE\
ProcessID : 588
ThreadCreationTime : 18.01.2005 05:15:29
BasePriority : Normal
FileVersion : 11.0
ProductVersion : 11.0
ProductName : OmniPage SE
CompanyName : ScanSoft, Inc
FileDescription : OCR Aware (32-bit)
InternalName : Opware32.exe
LegalCopyright : Copyright © 1995-2000 ScanSoft, Inc
OriginalFilename : Opware32.exe

#:31 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1452
ThreadCreationTime : 18.01.2005 05:15:30
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:32 [nvcsched.exe]
FilePath : C:\NORMAN\nvc\BIN\
ProcessID : 696
ThreadCreationTime : 18.01.2005 05:15:35
BasePriority : Normal
FileVersion : 1.03
ProductVersion : 1.03
ProductName : Norman Virus Control
CompanyName : Norman Data Defense Systems
FileDescription : NVC Scheduler
InternalName : NVCSched.exe
LegalCopyright : © Norman Data Defense Systems. 1997-2000
OriginalFilename : NVCSched.exe

#:33 [nvcoas.exe]
FilePath : C:\NORMAN\nvc\BIN\
ProcessID : 324
ThreadCreationTime : 18.01.2005 05:15:35
BasePriority : Normal
FileVersion : 5, 3, 0, 1
ProductVersion : NVC forTerminal server beta
ProductName : NVC on-access scanner
CompanyName : Norman ASA
FileDescription : NVC on-access virus scanner
InternalName : NVCNT
LegalCopyright : Copyright © 2000-2001
OriginalFilename : NVCOAS.EXE

#:34 [njeeves.exe]
FilePath : C:\NORMAN\nvc\BIN\
ProcessID : 332
ThreadCreationTime : 18.01.2005 05:15:35
BasePriority : Normal


#:35 [nipsvc.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 1896
ThreadCreationTime : 18.01.2005 05:15:36
BasePriority : Normal


#:36 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1948
ThreadCreationTime : 18.01.2005 05:15:36
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:37 [wscntfy.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1576
ThreadCreationTime : 18.01.2005 05:15:37
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Security Center Notification App
InternalName : wscntfy.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wscntfy.exe

#:38 [cclaw.exe]
FilePath : C:\NORMAN\Nvc\BIN\
ProcessID : 2124
ThreadCreationTime : 18.01.2005 05:15:44
BasePriority : Normal


#:39 [ad-aware.exe]
FilePath : C:\Programfiler\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2196
ThreadCreationTime : 18.01.2005 05:16:03
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:40 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2224
ThreadCreationTime : 18.01.2005 05:16:09
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Operativsystemet Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Automatiske oppdateringer
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Med enerett.
OriginalFilename : wuauclt.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 3




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

06:37:44 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:21:22.360
Objects scanned:211748
Objects identified:0
Objects ignored:0
New critical objects:0

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:07:19 AM

Posted 18 January 2005 - 09:52 AM

That log is clean. I don't know why Norton is teling you that there is malware hiding in there, because I am not seeing it.

Have you also emptied all of your temp files, flushed your recycly bin, etc?

#7 yorn75

yorn75
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:19 AM

Posted 18 January 2005 - 03:33 PM

Thank you very much
I've run CCleaner and turned off system restore, so it might have gone away somewhere there. Could also be someting that Norton couldn't change do too tea-timer earlier, but it managed to fix it when i turned it off to fix what you said.

And again - thank you very, very much!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users