Help - Search - Members - Calendar
Full Version: Recurring CWS.SearchX -- nothing works! Help?
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
awtry
Jul 6 2004, 02:17 AM
I'm not the first to have this problem, but in seeing all of the warnings about not using fixes that worked for others, I figured you bright folks could help me out.

I've got CWS.SearchX; A nasty bugger that keeps recurring. I've tried everything -- updated Ad-aware and Spybot S&D don't get rid of it, and CoolWeb Shredder only ditches it for a day or so. It always comes back.

Manually, I can go in and fix it using a combination of shredder and Hijack This, but I'm getting awfully tired of living this way -- I'm really close to a clean format and install. ... unless someone here can give me a leg up. I'm reasonably technically proficient, so I'm really bugged by this recurring piece of nastiness. I waited until re-infection so I could post my hijackthis log below.

Any help would be REALLY appreciated. Thanks in advance.

Log follows (a couple of the weird entries are for my force feedback Logitech mouse):

Logfile of HijackThis v1.97.7
Scan saved at 10:12:10 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
C:\Program Files\Widcomm\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.AWTRY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.hotmail.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion.com/plugins/ImmWeb.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/...k1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7559.4511689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...270/mcfscan.cab
CalamityJane
Jul 6 2004, 03:25 PM
Hello awtry,

Adaware has two updates today that include Coolwebsearch. Try updated Adaware and scan and see it finds anything new first (with the following settings and do the scan in safe mode)

Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R329 06.07.2004 or higher listed.

In Ad-aware click the Gear icon to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning


Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile

In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings.

Don't scan yet, please. We need to do the next steps in SAFE MODE, so please copy these instructions so you have them handy since you will probably not be able to get online in safe mode.

Now, Reboot into safe mode (instructions included in case you need them.
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Open Adaware, Press *scan now* and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
..............................
Next do this:
Download FindnFix.exe from here: http://freeatlast100.100free.com/index.html

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Please wait while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.

When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach the file, do not paste in the text as you did for the log.txt). Just scroll down to the section labled *File Attachments* on the left side below the reply window. Browse to the file Win.txt and highlight it, then press *Open*. Next press *Add reply* and the file will be attached automatically :)

Please also include the latest Adaware scan log too :)



Scan once more with Hijackthis and don't remove anything yet in the log. Post it back here so we can see what may remain to be fixed :)
awtry
Jul 7 2004, 02:43 AM
I was in the process of writing how great you folks were (after I'd completed your steps) when Scotty popped up to tell me all of the stuff was coming back. You're still great, but better if you can make this all go away for good. Here are the things you asked for (and, warning -- this is a long, long post):


The FindnFix log (before I got the alerts the stuff came back):

*** freeatlast100.100free.com ***

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

Tue 07/06/2004
10:01pm up 0 days, 0:18

***LOG!***

Scanning for file(s)...
*********
(*1*) .........
Locked or 'Suspect' file(s) found...

C:\WINDOWS\System32\MS.DLL +++ File read error
\\?\C:\WINDOWS\System32\MS.DLL +++ File read error

(*2*) ........
**File C:\FINDnFIX\LIST.TXT
MS.DLL Can't Open!
MSCMS.DLL Can't Open!

(*3*) ........

C:\WINDOWS\SYSTEM32\
ms.dll Fri Jun 18 2004 4:08:52p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K


C:\WINDOWS\SYSTEM32\
ms.dll Fri Jun 18 2004 4:08:52p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

(*4*) .........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MS.DLL

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MS.DLL

(*5*)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
Access denied ..................... MS.DLL .....57344 18.06.2004
Access denied ..................... MSCMS.DLL .....68096 29.08.2002

*********

Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


Member of...: (Admin logon required!)
User is a member of group AWTRY\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


Notepad check....

C:\WINDOWS\
notepad.exe Fri Jun 18 2004 4:08:40p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Fri Jun 18 2004 4:13:46p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Fri Jun 18 2004 4:08:40p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-18-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x AWTRY\Administrator
Allow 0000001B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00100004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00100002 ---- ---- -w-- BUILTIN\Users

Owner: AWTRY\Administrator

Primary Group: AWTRY\None



Backups created...
10:01pm up 0 days, 0:19
Tue 07/06/2004

A C:\FINDnFIX\keyback.hiv
--a-- - - - - - 8,192 07-06-2004 keyback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 07-06-2004 winkey.reg

Performing string scan....
00001150: ?
00001190: vk 6 f AppInit_
000011D0:DLLs G C : \ W I N D O W S \ S y s t e m 3 2 \ m s . d l l
00001210: vk P UDeviceNotSelectedTimeout
00001250: 1 5 ( W 9 0 ! vk ' zGDIProce
00001290:ssHandleQuota" vk Spooler2 y e s
000012D0: p vk =pswapdisk vk
00001310: ` R TransmissionRetryTimeout p
00001350: X vk ' 0 USERProcessHandleQuota1 x
00001390:
000013D0:
00001410:
00001450:
00001490:
000014D0:
00001510:
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GC
--------------
--------------
C:\WINDOWS\System32\ms.dll
yes
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710




My Adaware log (after the stuff had popped up again and I ran it):


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, July 06, 2004 10:06:46 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R330 07.07.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


7-6-2004 10:06:46 PM - Scan started. (Custom mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-7-2004 1:42:32 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-7-2004 1:42:35 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-7-2004 1:42:36 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-7-2004 1:42:36 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/29/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-7-2004 1:42:37 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:38 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/23/2001 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-7-2004 1:42:39 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/23/2001 12:00:00 PM

#:8 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:40 AM
BasePriority : Normal
FileSize : 180 KB
Created on : 3/20/2003 4:17:04 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 3/20/2003 4:17:04 PM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-7-2004 1:42:43 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 10/29/2002 6:59:55 PM
Last accessed : 7/7/2004 1:46:07 AM
Last modified : 8/29/2002 10:41:24 AM

#:10 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 7-7-2004 1:42:44 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 7, 51, 0, 1
ProductVersion : 7, 51, 0, 1
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 12/22/2000 12:51:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 12/22/2000 12:51:00 PM

#:11 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:44 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 9/10/2003 11:11:46 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 9/10/2003 11:11:46 PM

#:12 [rtvscan.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 7-7-2004 1:42:45 AM
BasePriority : Normal
FileSize : 420 KB
FileVersion : 7.51.00.847
ProductVersion : 7.51.00.847
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 12/22/2000 12:51:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 12/22/2000 12:51:00 PM

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:47 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 8/23/2001 12:00:00 PM

#:14 [em_exec.exe]
FilePath : C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\
ThreadCreationTime : 7-7-2004 1:42:48 AM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 9.73.243
ProductVersion : 9.73
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 10/28/2002 7:38:53 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 8/13/2002 2:50:00 PM

#:15 [cthelper.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:48 AM
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright © 2002
CompanyName : Creative Technology Ltd
FileDescription : CtHelper Application
InternalName : CtHelper
OriginalFilename : CtHelper.EXE
ProductName : CtHelper Application
Created on : 10/29/2002 2:35:12 AM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 7/2/2002 9:56:00 PM

#:16 [idesktop.exe]
FilePath : C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : High
FileSize : 520 KB
FileVersion : 2.9.0.5
ProductVersion : 2.9.0.5
Copyright : Copyright © 1997-2001
CompanyName : Immersion Corporation
FileDescription : Immersion® TouchWare® Desktop
InternalName : IDesktop
OriginalFilename : idesktop.exe
ProductName : Immersion® TouchWare® Desktop
Created on : 4/26/2002 2:47:56 PM
Last accessed : 7/7/2004 1:42:49 AM
Last modified : 4/26/2002 2:47:56 PM

#:17 [hpztsb05.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 2,128,0,0
ProductVersion : 2,128,0,0
Copyright : Copyright © Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 4/12/2003 11:51:50 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 5/24/2002 12:46:16 PM

#:18 [hphmon04.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : Normal
FileSize : 332 KB
FileVersion : 4,1,14
ProductVersion : 4,1,14
Copyright : Copyright © 2001
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
OriginalFilename : HPHmon04.exe
ProductName : hp photosmart
Created on : 6/20/2002 7:06:12 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 6/20/2002 7:06:12 PM

#:19 [winpatrol.exe]
FilePath : C:\PROGRA~1\BILLPS~1\WINPAT~1\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 6, 0, 0, 4
ProductVersion : 6.0.0.4
Copyright : Copyright
CompanyName : BillP Studios
FileDescription : WinPatrol By Bill Pytlovany
InternalName : WinPatrol
OriginalFilename : Scotty
ProductName : WinPatrol
Created on : 9/14/2003 10:01:05 PM
Last accessed : 7/7/2004 1:49:58 AM
Last modified : 9/10/2003 1:12:54 AM

#:20 [vptray.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.51.00.847
ProductVersion : 7.51.00.847
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 12/22/2000 12:51:00 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 12/22/2000 12:51:00 PM

#:21 [atiptaxx.exe]
FilePath : C:\Program Files\ATI Technologies\ATI Control Panel\
ThreadCreationTime : 7-7-2004 1:42:49 AM
BasePriority : Normal
FileSize : 308 KB
FileVersion : 6.14.10.4029
ProductVersion : 6.14.10.4029
Copyright : Copyright © 1998-2002 ATI Technologies Inc.
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
OriginalFilename : Atiptaxx.exe
ProductName : ATI Desktop Component
Created on : 9/28/2003 8:53:50 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 3/20/2003 2:15:00 PM

#:22 [wcescomm.exe]
FilePath : C:\Program Files\Microsoft ActiveSync\
ThreadCreationTime : 7-7-2004 1:42:50 AM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 3.7.0.3083
ProductVersion : 3.7.3083
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 12/25/2003 5:35:22 PM
Last accessed : 7/7/2004 1:42:32 AM
Last modified : 4/22/2003 10:43:44 PM

#:23 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ThreadCreationTime : 7-7-2004 1:42:51 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
OriginalFilename : AcroTray.exe
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
Created on : 10/28/2002 7:40:17 PM
Last accessed : 7/7/2004 1:42:58 AM
Last modified : 3/15/2001 10:18:18 AM

#:24 [blackice.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ThreadCreationTime : 7-7-2004 1:42:52 AM
BasePriority : Normal
FileSize : 756 KB
FileVersion : 3.6.44
ProductVersion : 3.6
Copyright : Copyright
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
OriginalFilename : blackice.exe
ProductName : Internet Security Systems, Inc. BlackICE
Created on : 11/27/2003 12:43:17 AM
Last accessed : 7/7/2004 1:42:58 AM
Last modified : 10/15/2003 8:40:50 PM

#:25 [bttray.exe]
FilePath : C:\Program Files\Widcomm\Bluetooth Software\
ThreadCreationTime : 7-7-2004 1:42:52 AM
BasePriority : Normal
FileSize : 248 KB
FileVersion : 2.5.3
ProductVersion : 1.2.2.15
Copyright : Copyright 2001-02, WIDCOMM Inc.
CompanyName : WIDCOMM Inc.
FileDescription : Bluetooth Tray Application
InternalName : BTTray
OriginalFilename : BTTray.exe
ProductName : WIDCOMM Bluetooth Software 1.2.2.15
Created on : 6/19/2002 2:34:08 PM
Last accessed : 7/7/2004 1:42:52 AM
Last modified : 6/19/2002 2:34:08 PM

#:26 [touchsense.exe]
FilePath : C:\Program Files\Immersion Corporation\TouchSense\Server\
ThreadCreationTime : 7-7-2004 1:42:54 AM
BasePriority : High
FileSize : 548 KB
FileVersion : 1.0.0.9
ProductVersion : 1.0.0.0
Copyright : Copyright © 2001
CompanyName : Immersion Corporation
FileDescription : Immersion® TouchWare® Applications COM Server
InternalName : TouchSense
OriginalFilename : TouchSense.EXE
ProductName : Immersion® TouchWare® Applications
Created on : 4/26/2002 2:47:36 PM
Last accessed : 7/7/2004 1:37:56 AM
Last modified : 4/26/2002 2:47:36 PM

#:27 [msgsys.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:42:57 AM
BasePriority : Normal
FileSize : 14 KB
FileVersion : 6.0.201.0940 E
ProductVersion : 6.0
Copyright : Copyright
CompanyName : Intel Corporation
FileDescription : CBA -- Message System
InternalName : MsgExe
OriginalFilename : MsgSys.EXE
ProductName : Intel Common Base Agent
Created on : 9/18/2000 10:12:40 PM
Last accessed : 7/7/2004 1:37:56 AM
Last modified : 9/18/2000 10:12:40 PM

#:28 [btstackserver.exe]
FilePath : C:\Program Files\Widcomm\Bluetooth Software\
ThreadCreationTime : 7-7-2004 1:42:58 AM
BasePriority : Normal
FileSize : 820 KB
FileVersion : 1.5.5
ProductVersion : 1.2.2.15
Copyright : Copyright 2001-02, WIDCOMM Inc.
CompanyName : WIDCOMM Inc.
FileDescription : Bluetooth Stack COM Server
InternalName : BTStackServer
OriginalFilename : BTStackServer.exe
ProductName : Bluetooth COM Server
Created on : 6/19/2002 2:38:38 PM
Last accessed : 7/7/2004 1:37:56 AM
Last modified : 6/19/2002 2:38:38 PM

#:29 [hphipm11.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-7-2004 1:43:05 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 5/24/2002 12:46:13 PM
Last accessed : 7/7/2004 1:36:46 AM
Last modified : 5/24/2002 12:46:13 PM

#:30 [blackd.exe]
FilePath : C:\Program Files\ISS\BlackICE\
ThreadCreationTime : 7-7-2004 2:03:50 AM
BasePriority : Normal
FileSize : 1182 KB
FileVersion : 3.6.47
ProductVersion : 3.6
Copyright : Copyright
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
OriginalFilename : blackd.exe
ProductName : Network ICE Corporation blackd
Created on : 10/29/2002 7:39:37 PM
Last accessed : 7/7/2004 1:37:56 AM
Last modified : 10/16/2003 11:50:18 PM

#:31 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-7-2004 2:06:39 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/6/2003 12:38:12 AM
Last accessed : 7/7/2004 1:46:01 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pagetemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bartemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanttemp\sp.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "file://C:\DOCUME~1\ADMINI~1.AWT\LOCALS~1\Temp\sp.html"


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{21E97C48-2C33-4F04-91B4-4A6D0C9D7536}


CoolWebSearch Object recognized!
Type : File
Data : beal.dll
Object : c:\windows\system32\
FileSize : 30 KB
Created on : 7/7/2004 2:03:39 AM
Last accessed : 7/7/2004 2:05:43 AM
Last modified : 7/7/2004 2:03:39 AM



CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{73F28F0A-2551-4958-8409-471759558325}


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/plain


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21E97C48-2C33-4F04-91B4-4A6D0C9D7536}


Deep registry scan result :

New objects : 13
Objects found so far: 14


Deep scanning and examining files (C:)


Disk scan result for C:\

New objects : 0
Objects found so far: 14


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)


Hosts file scan result:

758 entries scanned.
New objects :0
Objects found so far: 14




Performing conditional scans..


CoolWebSearch Object recognized!
Type : File
Data : sp.html
Object : c:\docume~1\admini~1.awt\locals~1\temp\
FileSize : 7 KB
Created on : 7/7/2004 2:03:39 AM
Last accessed : 7/7/2004 2:03:54 AM
Last modified : 7/7/2004 2:03:54 AM



Conditional scan result:

New objects : 1
Objects found so far: 15


10:36:48 PM Scan complete

Summary of this scan

Total scanning time :00:30:01:250
Objects scanned :341797
Objects identified :15
Objects ignored :0
New objects :15






My Hijackthis log (note: this is after I ran aware and cleaned the stuff off, so it looks a little clean):
Logfile of HijackThis v1.97.7
Scan saved at 10:42:18 PM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Widcomm\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator.AWTRY\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.hotmail.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion.com/plugins/ImmWeb.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/...k1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7559.4511689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...270/mcfscan.cab
CalamityJane
Jul 7 2004, 02:27 PM
Ok, great! We aren't done yet. That log gives me the name of the hidden dll causing the reinfection. We'll get rid of it first and then can clean up the rest.

Open the FindnFix folder.
Open the keys1 folder.

If you receive an error while trying to edit, see below for instructions.

RightClick on the MOVEit.bat file, select--> edit.
Copy and paste this line into the batch file, replacing the line there.

move %WinDir%\System32\ms.dll %SystemDrive%\junkxxx\ms.dll

Save the file and close.

(Get ready to restart!)
Still in the keys1 folder, double click on FIX.bat.
You will get an alert of ~20 secs before reboot.
Allow it to reboot!

On restart, Open the FindnFix folder.
DoubleClick on RESTORE.bat.
When it is finished, open the FindnFix folder.
Post the contents of Log1.txt in this thread.

=== In the Event an Error Occurs Trying to Edit ===
Occasionally when trying to edit the MOVEit.bat file the following error occurs: "Windows cannot find "C:FINDnFIX\keys1\MOVEit.bat. Make sure you typed the name correctly then try again."

If that happens, please open Notepad or Wordpad. Choose *file* and then *open* the MOVEit.bat file and then you can replace the line as instructed above.
awtry
Jul 8 2004, 11:58 PM
You are such a workhorse! I can't thank you enough! Hope we're doing this OK so far; here's the result of the newest findnfix log (did you want that jibberish at the end?):


*** freeatlast100.100free.com ***

Thu 07/08/2004
7:56pm up 0 days, 0:01

Microsoft Windows XP [Version 5.1.2600]
IE build and last SP(s)
6.0.2800.1106 SP1-Q328970-Q324929-Q810847-Q813951-Q813489-Q330994-Q818529-Q822925-Q828750-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.

***LOG1!***
Scanning for file(s) in System32...

(1)

(2)
**File C:\FINDnFIX\LIST.TXT

(3)

No matches found.

No matches found.

No matches found.

(4)
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.



(5)
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT

* Scanning for moved file... *

* result\\?\C:\JUNKXXX\MS.222


C:\JUNKXXX\
ms.222 Fri Jun 18 2004 4:08:52p A.... 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\MS.222

**File C:\JUNKXXX\MS.222
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2......

A----- MS .222 0000E000 16:08.52 18/06/2004

move %WinDir%\System32\ms.dll %SystemDrive%\junkxxx\ms.dll
--a-- W32i - - - - 57,344 06-18-2004 ms.222
A C:\junkxxx\ms.222
File: <C:\junkxxx\ms.222>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249




Permissions:
C:\junkxxx\ms.222 Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

C:\junkxxx\ms.222 Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

NT AUTHORITY\SYSTEM:F
BUILTIN\Administrators:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x AWTRY\Administrator
Allow 0000001B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000012 tc-- 00100004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00100002 ---- ---- -w-- BUILTIN\Users
Allow 00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: AWTRY\Administrator

Primary Group: AWTRY\None

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 001F01FF ---- DSPO rw+x \CREATOR OWNER
Allow 00000000 t--- 00120088 ---- -S-- ---- \Everyone
Allow 00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000002 tc-- 00100004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00100002 ---- ---- -w-- BUILTIN\Users

Owner: BUILTIN\Administrators

Primary Group: NT AUTHORITY\SYSTEM

File "C:\junkxxx\ms.222"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: AWTRY\Administrator

Primary Group: AWTRY\None


Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Notepad check....

C:\WINDOWS\
notepad.exe Fri Jun 18 2004 4:08:40p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\
notepad.exe Fri Jun 18 2004 4:13:46p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K

C:\WINDOWS\SYSTEM32\DLLCACHE\
notepad.exe Fri Jun 18 2004 4:08:40p A.... 66,048 64.50 K

1 item found: 1 file, 0 directories.
Total of file sizes: 66,048 bytes 64.50 K
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 06-18-2004 notepad.exe
Language 0x0409 (English (United States))
CharSet 0x04b0 Unicode
OleSelfRegister Disabled
CompanyName Microsoft Corporation
FileDescription Notepad
InternalName Notepad
OriginalFilenam NOTEPAD.EXE
ProductName Microsoft Windows Operating System
ProductVersion 5.1.2600.0
FileVersion 5.1.2600.0 (xpclient.010817-1148)
LegalCopyright Microsoft Corporation. All rights reserved.

VS_FIXEDFILEINFO:
Signature: feef04bd
Struc Ver: 00010000
FileVer: 00050001:0a280000 (5.1:2600.0)
ProdVer: 00050001:0a280000 (5.1:2600.0)
FlagMask: 0000003f
Flags: 00000000
OS: 00040004 NT Win32
FileType: 00000001 App
SubType: 00000000
FileDate: 00000000:00000000

00001150: ?
00001190: vk UDeviceNo
000011D0:tSelectedTimeout 1 5 ( W vk ' z
00001210:GDIProcessHandleQuota" 9 0 ! vk X
00001250:Spooler2 y e s vk =pswapdisk
00001290: 8 h vk ( R TransmissionRetryTimeout
000012D0: vk ' 0 USERProcessHandleQuota1 8
00001310:h vk utAppInit_DLLsvk (C w
00001350: > C wHC w ? C whC w
00001390: ? C w C w A C w C w
000013D0: A (D w C w @D w
00001410: 0 x H w C w `D w
00001450: D w D w
00001490: D w D w
000014D0: E w E w
00001510: @E w `E w
00001550:

---------- WIN.TXT
fAppInit_DLLs֍GC

---------- NEWWIN.TXT
utAppInit_DLLsvk
--------------
yes
C:\WINDOWS\system32
**File C:\FINDnFIX\NEWWIN.TXT
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 75 74 . 5F 44 4C 4C 73 76 6B 18 ......ut _DLLsvk.
**File C:\FINDnFIX\NEWWIN.TXT
        vk     UDeviceNotSelectedTimeout1 5  (W  vk  '   zGDIProcessHandleQuota"9 0  ! vk  X   Spooler2y e s  vk    =pswapdisk   8 h  vk  (   RTransmissionRetryTimeoutvk  '   0 USERProcessHandleQuota1   8 h    vk    utAppInit_DLLsvk (Cw > CwHCw ? CwhCw ? CwCw A CwCw A (DwCw @Dw 0xHwCw `Dw Dw Dw Dw Dw Ew Ew @Ew `Ew Ew Ew Aw =w   tw>w=w   T  @ D w  L     0  x        " # )  & Hw     hGwhGwpGwpGwxGwxGwGwGwGwGwGwGwGwGwGwGwGwGw  GwGwGwGwT T GwGwGwGwGwGwD! D! GwGwGwGw Hw HwHwHwHwHw  Hw Hw(Hw(Hw0Hw0Hw8Hw8Hw@Hw@HwHHwHHwPHwPHwXHwXHw=w  HwHw HwHw >w =w(DwHwHw C : \ W I N D O W S \ s y s t e m 3 2 >w     m
CalamityJane
Jul 9 2004, 12:53 AM
Open the FindnFix folder.
Open the Files2 folder.
Double Click on the ZIPZAP.bat.

It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions.

Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to your log file in the email.

When done, please delete the entire FindnFix folder as it now has contained the infected files and should be disposed.

Run CWShredder and Adaware (check for the latest updates first!). Then reboot and post a fresh HijackThis Log, please :)
awtry
Jul 9 2004, 03:19 AM
So, doc, am I clean?

Logfile of HijackThis v1.97.7
Scan saved at 11:18:26 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Immersion Corporation\TouchSense\Server\TouchSense.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\Program Files\Widcomm\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Documents and Settings\Administrator.AWTRY\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\ctnotify.exe
O4 - HKLM\..\Run: [IDesktop.2.5] C:\PROGRA~1\IMMERS~1\TOUCHS~1\Clients\Desktop\IDesktop.exe 1
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.hotmail.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} -
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {5CA42785-ABC3-11D2-9F81-00104B2225C5} (Immersion Web ActiveX Control) - http://www.immersion.com/plugins/ImmWeb.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/...k1/isetupml.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7559.4511689815
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...270/mcfscan.cab
CalamityJane
Jul 9 2004, 02:45 PM
Yes, I think you are clean now flowerz.gif

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 1.2 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx

You might also consider an alternative browser and use IE only when needed for sites that require ActiveX and are trusted (like Windows update or the online virus scanners). I use Firefox for 99% of my everyday surfing (using it right now in fact). It's free and very easy to setup, understand and use without many of the vulnerabilities that IE has. Or feel free to search around for info on other alternative browsers.

Firefox
http://www.mozilla.org/products/firefox/
awtry
Jul 10 2004, 03:21 AM
UNBELIEVABLE!

Thank you so much for helping me out with this insurmountable problem. You've got a terrific resource, and deserve to go to some kind of tech heaven for all the folks you're getting out of jams.

Thanks again...
CalamityJane
Jul 10 2004, 11:34 AM
Glad we could help, awtry ahah.gif

Stay Safe and happy surfing.... surf.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.