Good morning everyone.

Here's the sum up: I have Shopping Wizard and Home Search Assistent (sic) in my Add/Remove Programs list, but I get errors when I try to remove them.

I have 3 bookmarks that keep coming back no matter what I do.

Ad-Aware finds CoolWWWSearch and says it successfully removes it. SpyBot S&D also finds CoolWWWSearch.Aff.Winshow and successfully removes it. Neither CWS Shredder nor Killer finds anything. After I reboot, Ad-Aware finds the exact same entries in the registry.

IE redirects to about:blank, and I get about:blank pop-ups.

Thank you all very much for your tremendous help.

Ad-Aware log and HiJackThis log follows:


Ad-Aware SE Build 1.06r1
Logfile Created on:Wednesday, June 01, 2005 11:45:06 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):19 total references
MRU List(TAC index:0):3 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-1-2005 11:45:06 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 152
ThreadCreationTime : 6-1-2005 3:39:26 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 6-1-2005 3:40:46 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 6-1-2005 3:40:49 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 6-1-2005 3:40:50 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 236
ThreadCreationTime : 6-1-2005 3:40:50 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [ibmpmsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 348
ThreadCreationTime : 6-1-2005 3:40:52 PM
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 420
ThreadCreationTime : 6-1-2005 3:40:53 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 468
ThreadCreationTime : 6-1-2005 3:40:53 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ProcessID : 524
ThreadCreationTime : 6-1-2005 3:40:53 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:10 [ati2evxx.exe]
FilePath : C:\WINNT\System32\
ProcessID : 600
ThreadCreationTime : 6-1-2005 3:41:04 PM
BasePriority : Normal


#:11 [avsynmgr.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 616
ThreadCreationTime : 6-1-2005 3:41:05 PM
BasePriority : Normal


#:12 [residentagent.exe]
FilePath : C:\Program Files\LANDesk\Shared Files\
ProcessID : 640
ThreadCreationTime : 6-1-2005 3:41:05 PM
BasePriority : Normal
FileVersion : 8.5.0.19
ProductVersion : 8.5.0.19
ProductName : LANDesk® Management Agent
CompanyName : LANDesk® Development, Ltd
FileDescription : Resident Agent Application
InternalName : Resident Agent
LegalCopyright : Copyright © 2003-2004, LANDesk Software, Ltd.
OriginalFilename : resident.exe

#:13 [cvpnd.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ProcessID : 660
ThreadCreationTime : 6-1-2005 3:41:05 PM
BasePriority : Normal
FileVersion : 4.0.3 (Rel)
ProductVersion : 4.0.3 (Rel)
ProductName : Cisco Systems VPN Client
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
LegalCopyright : Copyright © 1998-2003 Cisco Systems, Inc.
OriginalFilename : CVPND.EXE

#:14 [localsch.exe]
FilePath : C:\Program Files\LANDesk\LDClient\
ProcessID : 352
ThreadCreationTime : 6-1-2005 3:41:08 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : LocalSch
InternalName : Local Scheduler Service
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : LocalSch.exe

#:15 [pds.exe]
FilePath : C:\WINNT\system32\cba\
ProcessID : 744
ThreadCreationTime : 6-1-2005 3:41:09 PM
BasePriority : Normal
FileVersion : 6.12.0.133 E
ProductVersion : 6.12.0.133
ProductName : Intel Common Base Agent
CompanyName : Intel® Corporation
FileDescription : CBA -- Ping Discovery Service
InternalName : PDS
LegalCopyright : Copyright © 1997-2001 Intel® Corporation
LegalTrademarks : LANDesk® is a registered trademark of Intel Corporation
OriginalFilename : PDS.EXE

#:16 [qipclnt.exe]
FilePath : C:\Program Files\LANDesk\LDClient\
ProcessID : 788
ThreadCreationTime : 6-1-2005 3:41:09 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : QIP Client
InternalName : QIPClnt
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : qipclnt.exe

#:17 [tmcsvc.exe]
FilePath : C:\Program Files\LANDesk\LDClient\
ProcessID : 800
ThreadCreationTime : 6-1-2005 3:41:10 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : Targeted Multicast Client Service Executable
InternalName : sdmsvc
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : sdmsvc.exe

#:18 [issuser.exe]
FilePath : C:\PROGRA~1\LANDesk\LDClient\
ProcessID : 840
ThreadCreationTime : 6-1-2005 3:41:11 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software, Ltd.
FileDescription : Remote Control Client
LegalCopyright : Copyright© 2003 LANDesk Software, Ltd.

#:19 [frameworkservice.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 808
ThreadCreationTime : 6-1-2005 3:41:11 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Framework Service
InternalName : Framework
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : Framework.exe

#:20 [qconsvc.exe]
FilePath : C:\WINNT\System32\
ProcessID : 996
ThreadCreationTime : 6-1-2005 3:41:15 PM
BasePriority : Normal


#:21 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1012
ThreadCreationTime : 6-1-2005 3:41:16 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:22 [vsstat.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1020
ThreadCreationTime : 6-1-2005 3:41:16 PM
BasePriority : Normal


#:23 [mstask.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1036
ThreadCreationTime : 6-1-2005 3:41:16 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:24 [vshwin32.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1108
ThreadCreationTime : 6-1-2005 3:41:17 PM
BasePriority : Normal


#:25 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 1124
ThreadCreationTime : 6-1-2005 3:41:17 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:26 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1140
ThreadCreationTime : 6-1-2005 3:41:18 PM
BasePriority : Normal
FileVersion : 7.10.00.3068
ProductVersion : 7.10.00.3068
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:27 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1152
ThreadCreationTime : 6-1-2005 3:41:18 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:28 [softmon.exe]
FilePath : C:\Program Files\LANDesk\LDClient\
ProcessID : 1196
ThreadCreationTime : 6-1-2005 3:41:19 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : LANDesk Software Monitor
InternalName : LANDesk Software Monitor
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : softmon.exe

#:29 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 128
ThreadCreationTime : 6-1-2005 3:41:19 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:30 [webscanx.exe]
FilePath : C:\Program Files\Network Associates\VirusScan\
ProcessID : 1276
ThreadCreationTime : 6-1-2005 3:41:22 PM
BasePriority : Normal


#:31 [naprdmgr.exe]
FilePath : C:\PROGRA~1\NETWOR~1\COMMON~1\
ProcessID : 1300
ThreadCreationTime : 6-1-2005 3:41:23 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : NAI Product Manager
InternalName : Product Manager
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : naPrdMgr.exe

#:32 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 1332
ThreadCreationTime : 6-1-2005 3:41:23 PM
BasePriority : Normal
FileVersion : 7.2.3.10 24Jun03
ProductVersion : 7.2.3.10 24Jun03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPLpr.exe

#:33 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 1340
ThreadCreationTime : 6-1-2005 3:41:24 PM
BasePriority : Normal
FileVersion : 7.2.3.10 24Jun03
ProductVersion : 7.2.3.10 24Jun03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:34 [agrsmmsg.exe]
FilePath : C:\WINNT\
ProcessID : 1356
ThreadCreationTime : 6-1-2005 3:41:24 PM
BasePriority : Normal
FileVersion : 2.1.7 2.1.7 02/22/2002 15:37:42
ProductVersion : 2.1.7 2.1.7 02/22/2002 15:37:42
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:35 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1388
ThreadCreationTime : 6-1-2005 3:41:24 PM
BasePriority : Normal
FileVersion : 2.2.0.0
ProductVersion : 2.2.0.0
ProductName : Intel® SpeedStep™ technology applet
CompanyName : Intel Corporation
FileDescription : Intel® SpeedStep™ technology User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-2001
LegalTrademarks : Intel® SpeedStep™ technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet v2.2

#:36 [tphkmgr.exe]
FilePath : C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\
ProcessID : 1396
ThreadCreationTime : 6-1-2005 3:41:25 PM
BasePriority : Normal


#:37 [rundll32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1424
ThreadCreationTime : 6-1-2005 3:41:25 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

#:38 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1452
ThreadCreationTime : 6-1-2005 3:41:26 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe

#:39 [sdclientmonitor.exe]
FilePath : C:\Program Files\LANDesk\LDClient\webportal\
ProcessID : 1464
ThreadCreationTime : 6-1-2005 3:41:27 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : TODO: <File description>
InternalName : SDClientMonitor.exe
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : SDClientMonitor.exe

#:40 [sdkyi.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1492
ThreadCreationTime : 6-1-2005 3:41:27 PM
BasePriority : Normal


#:41 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 1600
ThreadCreationTime : 6-1-2005 3:41:32 PM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:42 [rimdevicemanager.exe]
FilePath : C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\
ProcessID : 1660
ThreadCreationTime : 6-1-2005 3:41:34 PM
BasePriority : Normal
FileVersion : 3.6.2.9 (Release build by unknown)
ProductVersion : 3.6.2.9 (Release build by unknown)
ProductName : Desktop Tools for RIM Handheld Devices
CompanyName : Research In Motion Limited
FileDescription : Handheld Tools RimDeviceManager
InternalName : RimDeviceManager
LegalCopyright : © 1997-2003 Research In Motion Limited.
OriginalFilename : RimDeviceManager.exe

#:43 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1033\
ProcessID : 1668
ThreadCreationTime : 6-1-2005 3:41:35 PM
BasePriority : Normal
FileVersion : 9.0.2601
ProductVersion : 9.0.2601
ProductName : Microsoft Office 2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office 2000 component
InternalName : MSOFFICE
LegalCopyright : Copyright© Microsoft Corporation 1994-1999. All rights reserved.
OriginalFilename : MSOFFICE.EXE

#:44 [bbdevmgr.exe]
FilePath : C:\Program Files\Common Files\Research In Motion\USB Drivers\
ProcessID : 1708
ThreadCreationTime : 6-1-2005 3:41:36 PM
BasePriority : Normal
FileVersion : 1.1.0.12
ProductVersion : 1.1.0.12
ProductName : RIM handheld driver
CompanyName : Research In Motion Limited
FileDescription : RIM handheld device manager
InternalName : BbDevMgr
LegalCopyright : Copyright 2004 Research In Motion Limited
OriginalFilename : BbDevMgr.EXE

#:45 [mcshield.exe]
FilePath : C:\Program Files\Common Files\Network Associates\McShield\
ProcessID : 1604
ThreadCreationTime : 6-1-2005 3:42:46 PM
BasePriority : High


#:46 [msiexec.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1756
ThreadCreationTime : 6-1-2005 3:42:46 PM
BasePriority : Normal


#:47 [svchost.exe]
FilePath : C:\WINNT\System32\
ProcessID : 1952
ThreadCreationTime : 6-1-2005 3:42:49 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:48 [sdkak.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1980
ThreadCreationTime : 6-1-2005 3:42:49 PM
BasePriority : Normal


#:49 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1468
ThreadCreationTime : 6-1-2005 3:44:48 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : Start

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ErrorControl

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ImagePath

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ObjectName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : FailureActions

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 7


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-287920652-361002115-1528318997-500\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-287920652-361002115-1528318997-500\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
TAC Rating : 10
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\Documents and Settings\Administrator\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only -- The nicest hobby on Earth ;) -- website.url
TAC Rating : 10
Category : Misc
Comment : Problematic URL discovered: http://www.only-- The nicest hobby on Earth ;) --.ws/
Object : C:\Documents and Settings\Administrator\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
TAC Rating : 10
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\Documents and Settings\Administrator\Favorites\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 12
Objects found so far: 25

11:53:11 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:04.437
Objects scanned:78839
Objects identified:22
Objects ignored:0
New critical objects:22


-----------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 12:03:33 PM, on 6/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINNT\system32\sdkyi.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\sdkak.exe
E:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-relay:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\Program Files\LANDesk\LDClient\softmon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {C712592C-C0E3-647D-3991-4EF25619B7DF} - C:\WINNT\system32\mfcrx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkyi.exe] C:\WINNT\system32\sdkyi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Legal55 4.0.lnk = C:\Program Files\Legal55 4.0\Legal55_3.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.holycross.edu/departments/publi...sCamControl.ocx
O16 - DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} (EditXCon Class) - http://prvwestkm1/km/controls/aleph.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ealaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ealaw.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE

Again, thank very much.

I am reading your log now. Give me a bit and I'll be back with some advice.

You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406
--------
Download CWShredder from this page:
http://www.intermute.com/spysubtract/cwshr...r_download.html
Don't run it yet.
--------
Download AboutBuster created by Rubber Ducky.

http://www.downloads.subratam.org/AboutBuster.zip

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit". We don't want you to run it yet. Only get the updates so it is ready to run later in safe mode.
-----------------------------------------

Download the latest version of Ad-Aware

Be sure to update your Ad-Aware.

------------------------------------------------------------
Go here and follow the directions to show all files:
http://service1.symantec.com/SUPPORT/tsgen...002092715262339

----------

Be sure you are signed off the Internet.
-------------------

Restart into Safe mode.

Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Select these items and press the fix checked button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\udsga.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\udsga.dll/sp.html#55135
O2 - BHO: Class - {C712592C-C0E3-647D-3991-4EF25619B7DF} - C:\WINNT\system32\mfcrx.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [sdkyi.exe] C:\WINNT\system32\sdkyi.exe



Delete these files if still present:

C:\WINNT\system32\sdkyi.exe
C:\WINNT\system32\sdkak.exe
C:\WINNT\system32\udsga.dll


Run About:Buster

Run CWShredder and press the fix button to clean.

Restart and run Ad-Aware.


Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.


Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
-------------------



Restart into Regular Windows.


---------------

Go to this link and run the free AV scan to clean up the residual files:

http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------


If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

http://www.funkytoad.com/download/hoster.zip

--------
control.exe may have been deleted. If you go to start >Run and type control.exe and press enter, control panel should open. If it doesn't you need a new copy of control.exe

Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----

Check System32 to be sure you have a file named Shell.dll

If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.

------

Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html


Run HijackThis again and post the new log in your next reply in this same topic.
Also please post the log which about:Buster created.

Okay, here it is:

AboutBuster 5.0 reference file 28
Scan started on [6/1/2005] at [2:06:43 PM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:06:43 PM

---------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:20:13 PM, on 6/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\winpu.exe
C:\WINNT\mfcpp32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\WINNT\System32\MsiExec.exe
E:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-relay:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\Program Files\LANDesk\LDClient\softmon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {F3D288F2-33C6-C3C8-7278-8F9FE934FAA2} - C:\WINNT\mfcpp32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [sdkyi.exe] C:\WINNT\system32\sdkyi.exe
O4 - HKLM\..\Run: [mfcpp32.exe] C:\WINNT\mfcpp32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Legal55 4.0.lnk = C:\Program Files\Legal55 4.0\Legal55_3.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.holycross.edu/departments/publi...sCamControl.ocx
O16 - DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} (EditXCon Class) - http://prvwestkm1/km/controls/aleph.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ealaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ealaw.com
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winpu.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE

---------------------------------------------------------------

It looks like now I have to delete:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wwmij.dll/sp.html#55135

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [sdkyi.exe] C:\WINNT\system32\sdkyi.exe
O4 - HKLM\..\Run: [mfcpp32.exe] C:\WINNT\mfcpp32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winpu.exe" /s (file missing)

And delete the files:

%windir%\system32\wwmij.dll
%windir%\system32\winpu.exe
%windir%\mfcpp32.dll
%windir%\mfcpp32.exe
%windir%\system32\sdkyi.exe

And again, make sure I don't have:

%windir%\system32\sdkak.exe
%windir%\system32\vdsga.dll

Did I miss anything?

It's a bit more complicated than that. The Service wasn't showing before and hwo it is. Give me a few minutes and I'll just redo.

You pretty much had it. But the Service was the added problem. You couldn't have known about that one. And then the file names were changed as you noticed. Let's hope you have some luck this time. You are extremely observant.


Get ready to restart into Safe mode.

Go to Start >Run and type
Services.msc
Press enter.

When the Services Console opens, scroll down the list and find this entry:
Remote Procedure Call (RPC) Helper (There are other services with very similar names. Be sure you get Helper)

Double click on Remote Procedure Call (RPC) Helper to bring up the properties page.
Stop the service and set it to disabled. Apply and close the services console.
----------------------------------------------

Restart into Safe mode.

Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!
Select these items adn press the fix checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\wwmij.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {F3D288F2-33C6-C3C8-7278-8F9FE934FAA2} - C:\WINNT\mfcpp32.dll
O4 - HKLM\..\Run: [sdkyi.exe] C:\WINNT\system32\sdkyi.exe
O4 - HKLM\..\Run: [mfcpp32.exe] C:\WINNT\mfcpp32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\winpu.exe" /s (file missing)
------------------


Delete these files if they still exist:

C:\WINNT\system32\winpu.exe
C:\WINNT\system32\wwmij.dll
C:\WINNT\system32\sdkyi.exe
C:\WINNT\mfcpp32.exe
C:\WINNT\mfcpp32.dll
-----------------



Right. You can check for those too.
------------------------

Run about:Buster

Restart back into Safe mod again.


Run CWshredder and press the fix button to clean.
--------------------




Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.


Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
-------------------



Restart into Regular Windows.


---------------

Go to this link and run the free AV scan to clean up the residual files:

http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------


If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

http://www.funkytoad.com/download/hoster.zip

--------
control.exe may have been deleted. If you go to start >Run and type control.exe and press enter, control panel should open. If it doesn't you need a new copy of control.exe/

Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----

Check System32 to be sure you have a file named Shell.dll

If you do not have one, go to System32\dllcache
Find shell.dll and right click on it. Choose Copy from the menu.
Open System32 and right click on an empty space in the window. Choose Paste from the menu.

------

Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html


Run HijackThis again and post the new log in your next reply in this same topic.

Thanks! I didn't want to overstep my bounds here, I just thought I'd try to help myself (supervised, of course ;) ).



Disabled. Is there any way I can remove it completely? I'd just feel better about it.

Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:22 PM, on 6/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINNT\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\HiJackThis\HijackThis.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe
C:\WINNT\System32\MsiExec.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-relay:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\Program Files\LANDesk\LDClient\softmon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Legal55 4.0.lnk = C:\Program Files\Legal55 4.0\Legal55_3.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.holycross.edu/departments/publi...sCamControl.ocx
O16 - DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} (EditXCon Class) - http://prvwestkm1/km/controls/aleph.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ealaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ealaw.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE

It looks good to me, but take a look. It's your world. I'm just living in it.

Internet Explorer wasn't working (iexplore.exe was gone), so I reinstalled it. It seems to be working fine now.

Thank you very much for your help. If there's anything else I should do, please let me know.

You're welcome. That looks very good.

You asked about removing the service. The way this works, we disable it and then boot to safe mode to remove the rest of the infection and the service file. After that has been accomplished, we then remove the services registry entries.


In your case, Hijackthis seems to have removed the service registry entry. However, since that service didn't show before, my natural mistrust is rearing its head. Did you reset your Search and home Pages? See if you can and if the changes stick.


I am not sure why iexplore.exe would have gone missing either. That's odd. I'm glad you were able to overcome that yourself.

Try one more total restart of the System and see if Hijackthis still shows you as being clear.

Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html


We'll see how it goes. CWS is a very nasty infection.

I'm concerned. I just ran Ad-Aware one more time (before I was going to uninstall it), and it found CoolWebSearch stuff again. I ran HiJackThis, and it looks okay, except the related.htm entries (which don't go away if I check them). I reran CWS Shredder and Killer and neither found anything. What should I do?

Here are the Ad-Aware and HJT logs:

Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, June 02, 2005 9:29:26 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R49 31.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):8 total references
CoolWebSearch(TAC index:10):13 total references
MRU List(TAC index:0):15 total references
Tracking Cookie(TAC index:3):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


6-2-2005 9:29:26 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [ati2evxx.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1432
ThreadCreationTime : 6-2-2005 1:18:06 PM
BasePriority : Normal
FileVersion : 6.14.10.4114
ProductVersion : 6.14.10.4114.01
ProductName : ATI External Event Utility for WindowsNT and Windows9X
CompanyName : ATI Technologies Inc.
FileDescription : ATI External Event Utility EXE Module
InternalName : ATI2EVXX.EXE
LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.
OriginalFilename : ATI2EVXX.EXE

#:2 [softmon.exe]
FilePath : C:\Program Files\LANDesk\LDClient\
ProcessID : 1452
ThreadCreationTime : 6-2-2005 1:18:06 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : LANDesk Software Monitor
InternalName : LANDesk Software Monitor
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : softmon.exe

#:3 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 1492
ThreadCreationTime : 6-2-2005 1:18:06 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:4 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ProcessID : 1252
ThreadCreationTime : 6-2-2005 1:18:13 PM
BasePriority : Normal
FileVersion : 7.2.3.10 24Jun03
ProductVersion : 7.2.3.10 24Jun03
ProductName : Progressive Touch
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
LegalCopyright : Copyright © Synaptics, Inc. 1996-2002
OriginalFilename : SynTPEnh.exe

#:5 [prpcui.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1244
ThreadCreationTime : 6-2-2005 1:18:13 PM
BasePriority : Normal
FileVersion : 2.2.0.0
ProductVersion : 2.2.0.0
ProductName : Intel® SpeedStep™ technology applet
CompanyName : Intel Corporation
FileDescription : Intel® SpeedStep™ technology User Interface
InternalName : prpcui.exe
LegalCopyright : Copyright© Intel Corporation 1998-2001
LegalTrademarks : Intel® SpeedStep™ technology
OriginalFilename : prpcui.exe
Comments : Intel SpeedStep technology Applet v2.2

#:6 [tphkmgr.exe]
FilePath : C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\
ProcessID : 1220
ThreadCreationTime : 6-2-2005 1:18:13 PM
BasePriority : Normal


#:7 [rundll32.exe]
FilePath : C:\WINNT\system32\
ProcessID : 1212
ThreadCreationTime : 6-2-2005 1:18:13 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : RUNDLL.EXE

#:8 [updaterui.exe]
FilePath : C:\Program Files\Network Associates\Common Framework\
ProcessID : 1580
ThreadCreationTime : 6-2-2005 1:18:13 PM
BasePriority : Normal
FileVersion : 3.1.1.184
ProductName : McAfee Common Framework
CompanyName : Network Associates, Inc.
FileDescription : Common User Interface
InternalName : UpdaterUI
LegalCopyright : Copyright© 2000-2003 Networks Associates Technology, Inc. All Rights Reserved.
OriginalFilename : UpdaterUI.exe

#:9 [sdclientmonitor.exe]
FilePath : C:\Program Files\LANDesk\LDClient\webportal\
ProcessID : 1612
ThreadCreationTime : 6-2-2005 1:18:15 PM
BasePriority : Normal
FileVersion : 8.5.0.164
ProductVersion : 8.5.0.164
ProductName : LANDesk® Management Suite
CompanyName : LANDesk Software Ltd.
FileDescription : TODO: <File description>
InternalName : SDClientMonitor.exe
LegalCopyright : Copyright© 2004 LANDesk Software Ltd.
OriginalFilename : SDClientMonitor.exe

#:10 [agrsmmsg.exe]
FilePath : C:\WINNT\
ProcessID : 1224
ThreadCreationTime : 6-2-2005 1:18:15 PM
BasePriority : Normal
FileVersion : 2.1.31 2.1.31 06/27/2003 08:53:31
ProductVersion : 2.1.31 2.1.31 06/27/2003 08:53:31
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:11 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 1684
ThreadCreationTime : 6-2-2005 1:18:18 PM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English

#:12 [msoffice.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1033\
ProcessID : 1560
ThreadCreationTime : 6-2-2005 1:18:20 PM
BasePriority : Normal
FileVersion : 9.0.2601
ProductVersion : 9.0.2601
ProductName : Microsoft Office 2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft Office 2000 component
InternalName : MSOFFICE
LegalCopyright : Copyright© Microsoft Corporation 1994-1999. All rights reserved.
OriginalFilename : MSOFFICE.EXE

#:13 [hijackthis.exe]
FilePath : C:\HiJackThis\
ProcessID : 2016
ThreadCreationTime : 6-2-2005 1:21:33 PM
BasePriority : Normal
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
ProductName : HijackThis
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : Freeware
OriginalFilename : HijackThis.exe
Comments : Version history is in Help section

#:14 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1632
ThreadCreationTime : 6-2-2005 1:28:46 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Alexa Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : MenuStatusBar

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Script

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : clsid

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : Icon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : HotIcon

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Value : ButtonText

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : Start

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ErrorControl

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ImagePath

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : ObjectName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : system\currentcontrolset\services\ 11fßä#·ºÄÖ`i
Value : FailureActions

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 16
Objects found so far: 16


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16

MRU List Object Recognized!
Location: : C:\Documents and Settings\prvtemp\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\prvtemp\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\office\9.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\terminal server client\default
Description : list of recent systems connected to using remote desktop / terminal services


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-606959085-193660356-922709458-1768\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : prvtemp@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:prvtemp@atdmt.com/
Expires : 5-31-2010 8:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rlopes@statse.webtrendslive[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:rlopes@statse.webtrendslive.com/
Expires : 12-31-2020 4:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 33



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : yapvv.log
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\system32\



CoolWebSearch Object Recognized!
Type : File
Data : vdygdn.txt
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegData
Data :
TAC Rating : 10
Category : Malware
Comment : PROXY ENABLED - CHECK PROXY SETTINGS - Check this item if you do not use a proxy server - If a proxy server is in use, its settings in your Internet Options need to be verified.
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : ProxyEnable
Data :

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 38

9:32:59 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:32.676
Objects scanned:75750
Objects identified:23
Objects ignored:0
New critical objects:23

-------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:37:31 AM, on 6/2/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-relay:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 172.16.*.*;172.31.*.*;<local>
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\Program Files\LANDesk\LDClient\softmon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Legal55 4.0.lnk = C:\Program Files\Legal55 4.0\Legal55_3.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.holycross.edu/departments/publi...sCamControl.ocx
O16 - DPF: {CA34C280-5156-4E04-857A-BB69604B2F09} (EditXCon Class) - http://prvwestkm1/km/controls/aleph.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ealaw.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ealaw.com
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk® Development, Ltd - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: Intel QIP Client Service - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\qipclnt.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE

Well, after multiple reboots, using IE, etc... Ad-Aware never picked up CWS entries again. I guess it was just some remnant stuff that it couldn't get before...

Oh, and both of those entries (O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)) are gone now!! :)

Thank you very much for your help!! I couldn't have done this one on my own :)

You're welcome. You did a great job and were very easy to help.


You are correct. Those were leftovers and Ad-Aware cleaned them up for you if you ran it again and they weren't back. We can never get absolutely every orphan in the registry. And all the other scans missed two leftover files as well. But the infection was no longer active. I would say go ahead and keep Ad-Aware. Update it before you scan. And scan on a regular basis.


The related Toolbar is part of internet Explorer. It has been hotly debated over the years. Because it uses Alexa. Some have called it Spyware but it really isn't a problem. If suspicious, remove it or don't use it. And for sure don't be either surprised or alarmed if it returns at some point.





Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html