Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack Log

Unread postby mbresnahan » April 21st, 2005, 8:06 pm

I've got another one, I've signed up to learn. Can I start here with this infected laptop?
Thanks in Advance!
Michael


Logfile of HijackThis v1.99.1
Scan saved at 7:42:14 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Documents and Settings\DR. MILLER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {DC254B40-A1F4-A170-D34E-8F1D821018CE} - C:\WINDOWS\System32\idy.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\DR. MILLER\Local Settings\Temp\GzE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [hkSPFT0Y.exe] C:\documents and settings\dr. miller\local settings\temp\hkSPFT0Y.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\Wszv.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ios4b] C:\WINDOWS\System32\ios4b.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [cpmonuit] C:\WINDOWS\System32\cpmonuit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [9dd3edb39ca7] C:\WINDOWS\System32\msjtes40.exe
O4 - HKLM\..\Run: [rRMFkq8A.exe] C:\documents and settings\dr. miller\local settings\temp\rRMFkq8A.exe
O4 - HKLM\..\Run: [niAAqE.exe] C:\documents and settings\dr. miller\local settings\temp\niAAqE.exe
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [onymqads] C:\WINDOWS\System32\onymqads.exe
O4 - HKLM\..\Run: [_852c] C:\WINDOWS\System32\_852c.exe
O4 - HKLM\..\Run: [s3rf37g] dvdo84km.exe
O4 - HKLM\..\Run: [02703d037652] C:\WINDOWS\System32\MSOEACCT.exe
O4 - HKLM\..\RunOnce: [cetec] regedit.exe /s C:\DOCUME~1\DR3D86~1.MIL\LOCALS~1\Temp\cetec.reg
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [d00pRXM8P] irept32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Hslsxwn] C:\WINDOWS\System32\w?crtupd.exe
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\DR. MILLER\Application Data\emia.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8C78D52-83E0-4E40-9FE2-3B0A56473692}: NameServer = 68.47.0.5,68.47.0.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA
Advertisement
Register to Remove

Unread postby wng_z3r0 » April 21st, 2005, 11:21 pm

sure ya can!

Lemme go over the log.... It will take some time (you know how the system works)


wng
Last edited by wng_z3r0 on April 22nd, 2005, 7:35 pm, edited 1 time in total.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby mbresnahan » April 22nd, 2005, 5:51 am

I did run a trend micro av scan before I did the log
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby wng_z3r0 » April 22nd, 2005, 8:04 am

did you make the HJT log in safe mode?
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby mbresnahan » April 22nd, 2005, 10:37 am

duh
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby wng_z3r0 » April 22nd, 2005, 4:28 pm

can you please give me a log in normal mode?

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby mbresnahan » April 22nd, 2005, 4:45 pm

Please forgive me I had to get home to run the log. It was one of those things duh I should have known. Here is the log and thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 4:40:03 PM, on 4/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\documents and settings\dr. miller\local settings\temp\hkSPFT0Y.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\msjtes40.exe
C:\documents and settings\dr. miller\local settings\temp\niAAqE.exe
C:\WINDOWS\System32\MSOEACCT.exe
C:\WINDOWS\System32\w?crtupd.exe
C:\Documents and Settings\DR. MILLER\Application Data\emia.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\AdDestroyer\AdDestroyer.exe
C:\Documents and Settings\DR. MILLER\Desktop\HijackThis.exe
C:\WINDOWS\System32\WmrTIB2.exe
C:\WINDOWS\System32\Iar6a6q.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {DC254B40-A1F4-A170-D34E-8F1D821018CE} - C:\WINDOWS\System32\idy.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\DR. MILLER\Local Settings\Temp\GzE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [hkSPFT0Y.exe] C:\documents and settings\dr. miller\local settings\temp\hkSPFT0Y.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\HuoTdA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ios4b] C:\WINDOWS\System32\ios4b.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [cpmonuit] C:\WINDOWS\System32\cpmonuit.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [9dd3edb39ca7] C:\WINDOWS\System32\msjtes40.exe
O4 - HKLM\..\Run: [rRMFkq8A.exe] C:\documents and settings\dr. miller\local settings\temp\rRMFkq8A.exe
O4 - HKLM\..\Run: [niAAqE.exe] C:\documents and settings\dr. miller\local settings\temp\niAAqE.exe
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\LiveUpdate Client\PtLUWorker.exe
O4 - HKLM\..\Run: [onymqads] C:\WINDOWS\System32\onymqads.exe
O4 - HKLM\..\Run: [_852c] C:\WINDOWS\System32\_852c.exe
O4 - HKLM\..\Run: [s3rf37g] dvdo84km.exe
O4 - HKLM\..\Run: [02703d037652] C:\WINDOWS\System32\MSOEACCT.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [d00pRXM8P] irept32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Hslsxwn] C:\WINDOWS\System32\w?crtupd.exe
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\DR. MILLER\Application Data\emia.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8C78D52-83E0-4E40-9FE2-3B0A56473692}: NameServer = 68.47.0.5,68.47.0.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby wng_z3r0 » April 23rd, 2005, 1:26 am

Since you are a trainee, I have posted an explanation of my fix here:
http://www.malwareremoval.com/forum/viewtop ... =5606#5606
==================

We need to disable some of your protection programs. While these programs do help protect a clean system, they may resist the fixes we are attempting.
You have 2 antivirus programs running. This is not a good idea. Please choose either norton or pc-illin. Then uninstall the other program.

Please disable teatimer by:
1. Run spybot search and destroy
2. Click on mode -> advanced mode
3. Click on tools (located at the bottom left hand corner)
4. Click on the icon entitled resident
5. Uncheck the box next to teatimer.
6. RESTART your computer




You have the Peper Trojan. It is a very stubborn infection which requires a specific tool to remove. There are two tools available. Please follow these instructions in order:

1. Download Newuninst.exe.

2. Run it with an active internet connection.

3. Reboot to finish removing the entries it found.

4. Run the tool a second time (with an active internet connection).

5. Reboot to finish removing the entries it found.


The second tool which does not require Internet Access to Clean is:

1. Please Download PeperFix.exe,

2. Start the tool and click Find and Fix.

3. Reboot to finish removing what it found.

4. Run the tool a second time

5. Reboot and then do the next steps.

Please print the below steps. Then disconnect and close all programs (especially internet browsers)
Click the Start button on the lower left hand corner of your computer.
Select and click "Control Panel" from the Start menu.
When the Control Panel window opens, double-click on "Add or Remove Programs".
Find POP! in the alphabetized list of all programs on your computer. It may take a few moments for this list to display.
Click POP! to select it.
Click the POP! Change/Remove button.
Click Yes in the window that opens asking you to confirm that you want to uninstall POP!
Restart your computer to complete the uninstallation process.

Run Hijcakthis. Place a check next to the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O2 - BHO: (no name) - {DC254B40-A1F4-A170-D34E-8F1D821018CE} - C:\WINDOWS\System32\idy.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\DR. MILLER\Local Settings\Temp\GzE.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [hkSPFT0Y.exe] C:\documents and settings\dr. miller\local settings\temp\hkSPFT0Y.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [4X@95ME57C5BM8] C:\WINDOWS\System32\HuoTdA.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [ios4b] C:\WINDOWS\System32\ios4b.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [cpmonuit] C:\WINDOWS\System32\cpmonuit.exe
O4 - HKLM\..\Run: [9dd3edb39ca7] C:\WINDOWS\System32\msjtes40.exe
O4 - HKLM\..\Run: [rRMFkq8A.exe] C:\documents and settings\dr. miller\local settings\temp\rRMFkq8A.exe
O4 - HKLM\..\Run: [niAAqE.exe] C:\documents and settings\dr. miller\local settings\temp\niAAqE.exe
O4 - HKLM\..\Run: [onymqads] C:\WINDOWS\System32\onymqads.exe
O4 - HKLM\..\Run: [_852c] C:\WINDOWS\System32\_852c.exe
O4 - HKLM\..\Run: [s3rf37g] dvdo84km.exe
O4 - HKLM\..\Run: [02703d037652] C:\WINDOWS\System32\MSOEACCT.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [d00pRXM8P] irept32.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKCU\..\Run: [Hslsxwn] C:\WINDOWS\System32\w?crtupd.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe


Then delete these files:
(you may need to show hidden files. If you don't know how, see this tutorial:
http://www.bleepingcomputer.com/forums/tutorial62.html


C:\WINDOWS\System32\w?crtupd.exe << This file
C:\WINDOWS\System32\msmc.exe << This file
* irept32.exe << This file
C:\PROGRA~1\CLOCKS~1 << This folder
C:\WINDOWS\System32\MSOEACCT.exe << This file
* dvdo84km.exe << This file
C:\WINDOWS\System32\_852c.exe << This file
C:\WINDOWS\System32\onymqads.exe << This file
C:\documents and settings\dr. miller\local settings\temp\niAAqE.exe << This file
C:\documents and settings\dr. miller\local settings\temp\rRMFkq8A.exe << This file
C:\WINDOWS\System32\msjtes40.exe << This file
C:\WINDOWS\System32\cpmonuit.exe << This file
C:\Program Files\Common files\updater << This folder
C:\WINDOWS\System32\ios4b.exe << This file
C:\Program Files\AutoUpdate << This folder
C:\WINDOWS\System32\HuoTdA.exe << This file
C:\WINDOWS\System32\dp-him.exe << This file
C:\WINDOWS\System32\IEHost.exe << This file
C:\documents and settings\dr. miller\local settings\temp\hkSPFT0Y.exe << This file

* Locate via Start > Search


Then delete your temp files by going to start->run
type in:
cleanmgr

Check the box for temporary files and temporary internet files and then click "ok"

Post a new HJT log. Also tell me if you recognize this line:
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\DR. MILLER\Application Data\emia.exe

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

sorry

Unread postby mbresnahan » April 26th, 2005, 10:27 pm

I'm sorry I have not been able to get on this. I am in the process of adopting, thanks for your help I will get on this tommorow!
Thanks
Michael
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby wng_z3r0 » April 26th, 2005, 11:37 pm

actually, I need to change something real quick in that fix.

When searching for this file to delete:
C:\WINDOWS\System32\w?crtupd.exe

You will NOT find a file named w?crtupd.exe
The ? will be a letter or #. However, you may also have a legitimate file by the exact same name IN THE SAME FOLDER!!! So, we need to be careful. To delete the file, I want you to open the c:\windows\system32 folder

Then scroll down to the very bottom. You should see the file as the last item (or almost the last).

Then, right click the file. If you recognize the company, leave it alone. If you don't then delete it.

Note: DONT delete it if it is not at the very end.


You can check out more here:
http://www.malwareremoval.com/forum/viewtopic.php?t=930

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby mbresnahan » April 27th, 2005, 8:37 pm

no idea where emia.exe but I searched on the net and found it is a mail program of some sort. Here is the jack log and thanks again for your help. I read your process and it was very helpful for my training

Logfile of HijackThis v1.99.1
Scan saved at 8:31:05 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Documents and Settings\DR. MILLER\Application Data\emia.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\DR. MILLER\Desktop\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\WatchGuard\Mobile User VPN\ifcfg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\LiveUpdate Client\PtLUWorker.exe
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\DR. MILLER\Application Data\emia.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8C78D52-83E0-4E40-9FE2-3B0A56473692}: NameServer = 68.47.0.5,68.47.0.6
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby mbresnahan » April 27th, 2005, 9:52 pm

I installed and ran microsoft antispyware and here is the log
it cleand 32 objects

4/27/2005 9:23:41 PM::------------------------------------------------------------------
4/27/2005 9:23:41 PM::Initializing Clean - (ScanID: F1CBE480-353A-4A2B-8192-C336F3)
4/27/2005 9:23:41 PM::Remove Threat (ID:11648)
4/27/2005 9:23:41 PM::Clean Threat StatBlaster (ID:11648)
4/27/2005 9:23:42 PM::Removing file c:\documents and settings\dr. miller\local settings\tempwm_fuins.bat
4/27/2005 9:23:42 PM::Disable file c:\documents and settings\dr. miller\local settings\tempwm_fuins.bat and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\42A7CEE2-6D25-42A9-A743-640FB5\23AE50A5-FA7D-4FFE-8626-2DEE43
4/27/2005 9:23:43 PM::Clean Threat StatBlaster (ID:11648) Complete
4/27/2005 9:23:43 PM::Remove Threat (ID:11648) Complete
4/27/2005 9:23:43 PM::Remove Threat (ID:9636)
4/27/2005 9:23:43 PM::Clean Threat PeopleOnPage (ID:9636)
4/27/2005 9:23:44 PM::Removing file c:\program files\autoupdate\autoupdate.exe
4/27/2005 9:23:45 PM::Disable file c:\program files\autoupdate\autoupdate.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\675B8F5A-7DA7-4DA7-A33D-0E4E8D\889FECFC-E497-4B4C-820D-DE3778
4/27/2005 9:23:45 PM::Removing file c:\windows\system32\auto_update_uninstall.exe
4/27/2005 9:23:46 PM::Disable file c:\windows\system32\auto_update_uninstall.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\675B8F5A-7DA7-4DA7-A33D-0E4E8D\2708E4E7-9003-4627-B2F4-0C004D
4/27/2005 9:23:46 PM::Removing file c:\program files\autoupdate\libexpat.dll
4/27/2005 9:23:56 PM::Disable file c:\program files\autoupdate\libexpat.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\675B8F5A-7DA7-4DA7-A33D-0E4E8D\CAAB5EF6-0B57-4F3F-9219-1CE69E
4/27/2005 9:23:56 PM::Removing file C:\Program Files\CxtPls\ace.dll
4/27/2005 9:24:06 PM::Disable file C:\Program Files\CxtPls\ace.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\675B8F5A-7DA7-4DA7-A33D-0E4E8D\CE8C8A51-5574-428A-AAF0-B49C80
4/27/2005 9:24:06 PM::Removing file c:\windows\system32\auto_update_uninstall.log
4/27/2005 9:24:06 PM::Disable file c:\windows\system32\auto_update_uninstall.log and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\675B8F5A-7DA7-4DA7-A33D-0E4E8D\F79FDFDE-5CA3-4200-B704-CB6CD8
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [ProxyStub=C:\Program Files\CxtPls\proxystub.dll
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [Plugin=C:\Program Files\CxtPls\cxtpls.dll
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [ClientName=C:\Program Files\CxtPls\CxtPls.exe
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [LegalNote=nonbranded
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [InstallationId={He520b81-0512-7577-ec38-6c687825011b}
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [PartnerId=CP.WILD2
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client [ServerAddress=adchannel.contextplus.net
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos\Client
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\software\apropos
4/27/2005 9:24:06 PM::Removing registry key HKEY_LOCAL_MACHINE\software\apropos
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [LoadUrl=http://download.contextplus.net/apropos/client/<<version>>/CP.WILD2/<<try>>/AproposClientInstaller.exe
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [TempFile=C:\DOCUME~1\DR3D86~1.MIL\LOCALS~1\Temp\auf0.exe
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [Parameters=/HideUninstall /HideDir /PC="CP.WILD2" /ForSupportedBrowsers /ShowLegalNote=nonbranded
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [Attempts=2
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [Trust=1
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [Total=2
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient [Downloaded=1
4/27/2005 9:24:06 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient
4/27/2005 9:24:06 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader\AproposClient
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Envolo\AutoUpdate\State [AM_version=1.0.174
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Envolo\AutoUpdate\State [EnvoloAutoUpdater_version=1.0.24
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Envolo\AutoUpdate\State
4/27/2005 9:24:07 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Envolo\AutoUpdate\State
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate\Tasks
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate [PollInterval=86400
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate [ServerUrl=http://envolo.peopleonpage.com:80/servlets/auto_update
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate [DestDir=C:\Program Files\AutoUpdate\AutoUpdate.exe
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate [HostId={1941C384-79C3-4A25-BEC7-8759D779AA29}
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate [NextPingTime64=1114727182
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo\AutoUpdate
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\envolo
4/27/2005 9:24:07 PM::Removing registry key HKEY_LOCAL_MACHINE\software\envolo
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\aproposclient [UninstallString="C:\Program Files\CxtPls\uninstaller.exe"
4/27/2005 9:24:07 PM::Removing registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\aproposclient
4/27/2005 9:24:07 PM::Removing registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\aproposclient
4/27/2005 9:24:07 PM::Clean Threat PeopleOnPage (ID:9636) Complete
4/27/2005 9:24:07 PM::Remove Threat (ID:9636) Complete
4/27/2005 9:24:07 PM::Remove Threat (ID:14840)
4/27/2005 9:24:07 PM::Clean Threat MidAddle (ID:14840)
4/27/2005 9:24:08 PM::Removing file c:\program files\common files\midaddle\uninst.exe
4/27/2005 9:24:08 PM::Disable file c:\program files\common files\midaddle\uninst.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4D5469BE-893E-4031-AA26-DBF86A\55074AD1-C851-4008-9476-97218E
4/27/2005 9:24:08 PM::Removing file C:\Program Files\Common Files\midaddle\midaddle.dll
4/27/2005 9:24:18 PM::Disable file C:\Program Files\Common Files\midaddle\midaddle.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4D5469BE-893E-4031-AA26-DBF86A\6CFFE0B1-2637-4253-9FFF-E10A41
4/27/2005 9:24:18 PM::Delete folder c:\program files\common files\midaddle\
4/27/2005 9:24:18 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\midADdle [DisplayName=midADdle
4/27/2005 9:24:18 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\midADdle [UninstallString=C:\Common Files\Midaddle\uninst.exe
4/27/2005 9:24:18 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\midADdle
4/27/2005 9:24:18 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\midADdle
4/27/2005 9:24:19 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\midADdle [Install_Dir=C:\Common Files\Midaddle
4/27/2005 9:24:19 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\midADdle
4/27/2005 9:24:19 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\midADdle
4/27/2005 9:24:19 PM::Clean Threat MidAddle (ID:14840) Complete
4/27/2005 9:24:19 PM::Remove Threat (ID:14840) Complete
4/27/2005 9:24:19 PM::Remove Threat (ID:14820)
4/27/2005 9:24:19 PM::Clean Threat ATGames (ID:14820)
4/27/2005 9:24:19 PM::Removing file C:\WINDOWS\preInsTT.exe
4/27/2005 9:24:20 PM::Disable file C:\WINDOWS\preInsTT.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\25639C98-5468-4286-AE74-DA99B4\530DCCC4-245E-4229-A95C-46AF95
4/27/2005 9:24:20 PM::Removing file c:\windows\system32\atpartners.dll
4/27/2005 9:24:30 PM::Disable file c:\windows\system32\atpartners.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\25639C98-5468-4286-AE74-DA99B4\A2AB80CC-DAE9-4012-B307-D8D2DB
4/27/2005 9:24:30 PM::Removing file c:\documents and settings\dr. miller\favorites\at-games\gamehouse games.url
4/27/2005 9:24:30 PM::Disable file c:\documents and settings\dr. miller\favorites\at-games\gamehouse games.url and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\25639C98-5468-4286-AE74-DA99B4\6614496F-8C55-491D-8660-94C519
4/27/2005 9:24:30 PM::Removing file c:\documents and settings\dr. miller\favorites\at-games\big fish games.url
4/27/2005 9:24:30 PM::Disable file c:\documents and settings\dr. miller\favorites\at-games\big fish games.url and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\25639C98-5468-4286-AE74-DA99B4\AF0641BB-19FE-427A-BE7B-5106C1
4/27/2005 9:24:30 PM::Removing file c:\documents and settings\dr. miller\favorites\at-games\flyordie games.url
4/27/2005 9:24:30 PM::Disable file c:\documents and settings\dr. miller\favorites\at-games\flyordie games.url and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\25639C98-5468-4286-AE74-DA99B4\73FF62E5-09DB-4752-B740-7E293A
4/27/2005 9:24:30 PM::Delete folder c:\documents and settings\dr. miller\favorites\at-games\
4/27/2005 9:24:30 PM::Clean Threat ATGames (ID:14820) Complete
4/27/2005 9:24:30 PM::Remove Threat (ID:14820) Complete
4/27/2005 9:24:30 PM::Remove Threat (ID:14804)
4/27/2005 9:24:30 PM::Clean Threat IncrediFind (ID:14804)
4/27/2005 9:24:31 PM::Removing file c:\windows\system32\drivers\etc\hosts.bho
4/27/2005 9:24:31 PM::Disable file c:\windows\system32\drivers\etc\hosts.bho and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\5DC77C8E-37A8-4F9B-A833-4066F1\077641D9-3C37-40E1-B817-804CF1
4/27/2005 9:24:31 PM::Removing file c:\program files\IncrediFind\BHO\date.txt
4/27/2005 9:24:31 PM::Disable file c:\program files\IncrediFind\BHO\date.txt and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\5DC77C8E-37A8-4F9B-A833-4066F1\9FA7C0B7-83BA-4D5A-9C34-29F675
4/27/2005 9:24:31 PM::Delete folder c:\program files\IncrediFind\BHO\
4/27/2005 9:24:31 PM::Delete folder c:\program files\incredifind\
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\HomePage [DefaultIEHomePage=http://www.incredifind.com/
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\HomePage
4/27/2005 9:24:31 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\HomePage
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS [404=http://www.incredifind.com/index.cfm?action=lookup&pc=msifd&Keywords=
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS [DNSNotFound=http://www.incredifind.com/index.cfm?action=lookup&pc=msifd&Keywords=
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS [URLTranslation=http://www.incredifind.com/index.cfm?action=lookup&pc=msifd&Keywords=
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS [4=ivwt;12wjvhjjpgis0yiskvmhp1gpo2pqeBysn@
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS
4/27/2005 9:24:31 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO\RedirectURLS
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO [INSTALLGUID=D72A0615-8470-4799-950C-B98671A43EBB
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO
4/27/2005 9:24:31 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\IncrediFind\BHO
4/27/2005 9:24:31 PM::Removing registry value HKEY_LOCAL_MACHINE\software\incredifind
4/27/2005 9:24:31 PM::Removing registry key HKEY_LOCAL_MACHINE\software\incredifind
4/27/2005 9:24:31 PM::Clean Threat IncrediFind (ID:14804) Complete
4/27/2005 9:24:31 PM::Remove Threat (ID:14804) Complete
4/27/2005 9:24:31 PM::Clean Threat Virtual Bouncer (ID:12432)
4/27/2005 9:24:31 PM::Removing file C:\WINDOWS\system32\SWRT01.dll
4/27/2005 9:24:40 PM::Unregistering COM entry points for file C:\WINDOWS\system32\SWRT01.dll
4/27/2005 9:24:40 PM::Disable file C:\WINDOWS\system32\SWRT01.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\899D7E37-9F21-48FB-8AC5-30E13A\92507DC0-53A3-4573-90C7-1926F4
4/27/2005 9:24:40 PM::Removing file c:\windows\system32\innervbinstall.log
4/27/2005 9:24:40 PM::Disable file c:\windows\system32\innervbinstall.log and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\899D7E37-9F21-48FB-8AC5-30E13A\BFB74FDC-D094-488A-8260-1DCE48
4/27/2005 9:24:40 PM::Delete folder c:\program files\vbouncer\
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\Implemented Categories
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\InprocServer32 [=C:\WINDOWS\system32\SWRT01.dll
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\InprocServer32 [ThreadingModel=Apartment
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\InprocServer32
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\ProgID [=SWRT01.RT
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\ProgID
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\Programmable
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\TypeLib [={5E594162-60A9-487D-84B8-DBDD716CB862}
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\TypeLib
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\VERSION [=2.8
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}\VERSION
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} [=SWRT01.RT
4/27/2005 9:24:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}
4/27/2005 9:24:40 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF}
4/27/2005 9:24:41 PM::Removing registry value HKEY_CLASSES_ROOT\SWRT01.RT\Clsid [={8940E505-72C6-44DE-BE85-1D746780EFBF}
4/27/2005 9:24:41 PM::Removing registry value HKEY_CLASSES_ROOT\SWRT01.RT\Clsid
4/27/2005 9:24:41 PM::Removing registry value HKEY_CLASSES_ROOT\SWRT01.RT [=SWRT01.RT
4/27/2005 9:24:41 PM::Removing registry value HKEY_CLASSES_ROOT\SWRT01.RT
4/27/2005 9:24:41 PM::Removing registry key HKEY_CLASSES_ROOT\SWRT01.RT
4/27/2005 9:24:41 PM::Clean Threat Virtual Bouncer (ID:12432) Complete
4/27/2005 9:24:41 PM::Remove Threat (ID:10773)
4/27/2005 9:24:41 PM::Clean Threat ShopAtHome (ID:10773)
4/27/2005 9:24:43 PM::Removing file c:\windows\system32\sahhtml.exe
4/27/2005 9:24:44 PM::Disable file c:\windows\system32\sahhtml.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\FCB011FD-A6CC-4999-BFEB-354F12
4/27/2005 9:24:44 PM::Removing file c:\windows\downloaded program files\sahagent_.exe
4/27/2005 9:24:44 PM::Disable file c:\windows\downloaded program files\sahagent_.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\386FBCA4-9B13-41BC-9C80-F3EDA0
4/27/2005 9:24:44 PM::Removing file c:\windows\downloaded program files\sahhtml_.exe
4/27/2005 9:24:45 PM::Disable file c:\windows\downloaded program files\sahhtml_.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\E0B3C647-8F42-432F-A257-6A9B27
4/27/2005 9:24:45 PM::Removing file c:\windows\downloaded program files\sahuninstall_.exe
4/27/2005 9:24:46 PM::Disable file c:\windows\downloaded program files\sahuninstall_.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\2BB597F1-CC9F-4D11-8EB3-5696A0
4/27/2005 9:24:46 PM::Removing file C:\WINDOWS\Downloaded Program Files\lsp_.dll
4/27/2005 9:24:55 PM::Disable file C:\WINDOWS\Downloaded Program Files\lsp_.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\222D9DC6-1E4A-4985-A68F-8FDE82
4/27/2005 9:24:55 PM::Removing file c:\windows\system32\xmlparse.dll
4/27/2005 9:25:05 PM::Disable file c:\windows\system32\xmlparse.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\2DAB6BFD-134A-43AA-9D05-AEAB00
4/27/2005 9:25:05 PM::Removing file c:\windows\system32\xmltok.dll
4/27/2005 9:25:15 PM::Disable file c:\windows\system32\xmltok.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\D06F10B8-53AD-4DFE-9DD5-8F79FF\AE37CCF5-DDBA-43BD-A2CB-022D91
4/27/2005 9:25:15 PM::Clean Threat ShopAtHome (ID:10773) Complete
4/27/2005 9:25:15 PM::Remove Threat (ID:10773) Complete
4/27/2005 9:25:15 PM::Remove Threat (ID:14922)
4/27/2005 9:25:15 PM::Clean Threat Windows Search Bar (ID:14922)
4/27/2005 9:25:16 PM::Removing file c:\windows\system32\searchbar.htm
4/27/2005 9:25:16 PM::Disable file c:\windows\system32\searchbar.htm and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\57018385-AE9A-4096-AB86-23AC01\7805B54F-A101-4EE1-8927-C16D03
4/27/2005 9:25:16 PM::Clean Threat Windows Search Bar (ID:14922) Complete
4/27/2005 9:25:16 PM::Remove Threat (ID:14922) Complete
4/27/2005 9:25:16 PM::Remove Threat (ID:15070)
4/27/2005 9:25:16 PM::Clean Threat EnhanceMySearch (ID:15070)
4/27/2005 9:25:16 PM::Clean Threat EnhanceMySearch (ID:15070) Complete
4/27/2005 9:25:17 PM::Remove Threat (ID:15070) Complete
4/27/2005 9:25:17 PM::Remove Threat (ID:3342)
4/27/2005 9:25:17 PM::Clean Threat BrowserAid (ID:3342)
4/27/2005 9:25:17 PM::Removing file c:\windows\system32\stlbdist.dll
4/27/2005 9:25:27 PM::Disable file c:\windows\system32\stlbdist.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\FB59E861-0807-40D9-94EE-9E5BFA\A63E4F17-DC63-443E-9A65-5D3999
4/27/2005 9:25:27 PM::Clean Threat BrowserAid (ID:3342) Complete
4/27/2005 9:25:27 PM::Remove Threat (ID:3342) Complete
4/27/2005 9:25:27 PM::Remove Threat (ID:5605)
4/27/2005 9:25:27 PM::Clean Threat Claria.GAIN (ID:5605)
4/27/2005 9:25:27 PM::Removing file c:\windows\gatorhdplugin.log
4/27/2005 9:25:27 PM::Disable file c:\windows\gatorhdplugin.log and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\948054FD-0806-4A60-AEB3-4E84E8\0CEE0A81-07D9-4E2F-9B2A-04D4B6
4/27/2005 9:25:27 PM::Removing file c:\documents and settings\all users\start menu\programs\gain publishing\about gain publishing.lnk
4/27/2005 9:25:27 PM::Disable file c:\documents and settings\all users\start menu\programs\gain publishing\about gain publishing.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\948054FD-0806-4A60-AEB3-4E84E8\AAA1736A-7E89-439B-95B8-B70AB1
4/27/2005 9:25:27 PM::Removing file c:\documents and settings\all users\start menu\programs\gain publishing\gain publishing web site.url
4/27/2005 9:25:27 PM::Disable file c:\documents and settings\all users\start menu\programs\gain publishing\gain publishing web site.url and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\948054FD-0806-4A60-AEB3-4E84E8\A7ACD2BC-D06C-43E5-9EA6-A99E2A
4/27/2005 9:25:27 PM::Delete folder c:\documents and settings\all users\start menu\programs\gain publishing\
4/27/2005 9:25:27 PM::Clean Threat Claria.GAIN (ID:5605) Complete
4/27/2005 9:25:28 PM::Remove Threat (ID:5605) Complete
4/27/2005 9:25:28 PM::Remove Threat (ID:13770)
4/27/2005 9:25:28 PM::Clean Threat Twain Tech (ID:13770)
4/27/2005 9:25:28 PM::Removing file c:\windows\twaintec.dll
4/27/2005 9:25:39 PM::Disable file c:\windows\twaintec.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4A8A6E0E-B39C-400B-8D33-8E0890\BDDC4278-4B68-4655-AE95-FD6E10
4/27/2005 9:25:39 PM::Removing file c:\windows\inf\alchem.inf
4/27/2005 9:25:39 PM::Disable file c:\windows\inf\alchem.inf and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4A8A6E0E-B39C-400B-8D33-8E0890\F0122B3E-1D3D-428A-8100-88593B
4/27/2005 9:25:39 PM::Removing file c:\windows\inf\twaintec.inf
4/27/2005 9:25:39 PM::Disable file c:\windows\inf\twaintec.inf and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4A8A6E0E-B39C-400B-8D33-8E0890\4687AA80-65D1-44FA-B8A5-434D5F
4/27/2005 9:25:39 PM::Removing file c:\windows\inf\twtini.inf
4/27/2005 9:25:40 PM::Disable file c:\windows\inf\twtini.inf and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4A8A6E0E-B39C-400B-8D33-8E0890\CFEFAB59-0BE6-4B2C-9A64-2909DD
4/27/2005 9:25:40 PM::Removing file c:\windows\twaintec.ini
4/27/2005 9:25:40 PM::Disable file c:\windows\twaintec.ini and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\4A8A6E0E-B39C-400B-8D33-8E0890\76D509C4-EB35-4C73-9110-8E31C9
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\twaintec [DisplayName=BetterInternet
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\twaintec [UninstallString=RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\twaintec.inf, Uninstall
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\twaintec
4/27/2005 9:25:40 PM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\twaintec
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTI4d5OfSInst={50509496-CE42-464F-AD78-1E3B280F2DF2}
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTI4d5OfSDist=BDLA4012
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4o5pListSPos=11648
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTI4n5ProgSCab=0
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTI4n5ProgSEx=0
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTI4n5ProgSLstest=0
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC4n5trSEvnt=215
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC4n5trMsgSDisp=48
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC4S5Insur=3
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4h5rshSCheckSIn=1
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TT4C5ntrSTransac=2
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC4u5rrentSMode=1
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC4n5tFyl=0
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTM4o5deSSync=7
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4h5rshSBath=10000
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4h5rshSysSInf=2000
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4h5rshSMots=100
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [ =
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTs4t5i6cky1S=capdate%3D1712%26capdatedy%3D0717%26lupgtry%3D1%26lupgid%3D150%26lupgdt%3D1090080817271%26lflshdt%3D1089836004%26lstlogdt%3D20040717%26cntp%3Dtx%26capcntdy%3D1%26capcnt%3D1%26
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTs4t5icky2S=lastlstdt%3D1089836004476%26fstcidt%3D1089836004476%26
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTC1o4d5eOfSFinalAd=1
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTT4i5m6eOfSFinalAd=1090081005|0|1089903164|0|1089836004|0|0|0|0|
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TT4N5a6tionSCode=US
4/27/2005 9:25:40 PM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\twaintec [TTD4s5tSSEnd=’›–‚ÀÀÃ
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby mbresnahan » April 27th, 2005, 10:26 pm

ran a nortons and got this I'm going to turn of restore then run some scans nortons and trendmicro

Scan type: Manual Scan
Event: Virus Found!
Virus name: Trojan.Dropper
File: C:\System Volume Information\_restore{8D886871-9FF3-41BC-8498-31949104AB2E}\RP153\A0033343.exe
Location: Quarantine
Computer: LAPTOP
User: DR. MILLER
Action taken: Clean failed : Quarantine succeeded :
Date found: Wed Apr 27 22:20:24 2005
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby mbresnahan » April 28th, 2005, 7:22 am

I ran trend micro it was clean
I ran adaware it came up with 25 and here is the log


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, April 28, 2005 6:39:08 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


4-28-2005 6:39:08 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 4-28-2005 9:59:09 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 9:59:29 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 9:59:30 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:39 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 9:59:30 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:02 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/29/2002 9:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 9:59:31 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:44 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 9:59:31 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:44 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:7 [ireike.exe]
FilePath : C:\Program Files\WatchGuard\Mobile User VPN\
ThreadCreationTime : 4-28-2005 9:59:32 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 9.0.3 (Build 2)
Copyright : (c) 1997-2002 SafeNet, Inc. All rights reserved.
CompanyName : SafeNet
FileDescription : IreIke Service Application
InternalName : IreIke
OriginalFilename : IreIke.exe
ProductName : SafeNet VPN Client
Created on : 11/4/2003 4:36:11 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 2/10/2003 7:11:52 PM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 4-28-2005 9:59:34 AM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 1:12:10 AM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 5/12/2003 1:12:10 AM

#:9 [brsvc01a.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 9:59:35 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : brother Industries Ltd
FileDescription : brsvc01a
InternalName : brsvc01a
OriginalFilename : brsvc01a.exe
ProductName : brother Industries Ltd brsvc01a
Created on : 6/2/2004 3:43:19 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 4/12/2002 4:00:00 AM

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 9:59:35 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:42 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:11 [brss01a.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 9:59:35 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 1.004
ProductVersion : 1, 0, 0, 4
Copyright : Copyright ? 2001
CompanyName : brother Industries Ltd
FileDescription : brss01a.exe
InternalName : brss01a.exe
OriginalFilename : brss01a.exe
ProductName : brother Industries Ltd brss01a.exe
Created on : 6/2/2004 3:43:19 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 12/13/2001 4:01:00 AM

#:12 [pptd40nt.exe]
FilePath : C:\Program Files\Scansoft\PaperPort\
ThreadCreationTime : 4-28-2005 9:59:38 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 8.10
ProductVersion : 8.10
Copyright : Copyright
CompanyName : ScanSoft, Inc.
FileDescription : PaperPort Print to Desktop for NT
InternalName : PPTD40NT
OriginalFilename : PPTD40NT.EXE
ProductName : PaperPort
Created on : 8/12/2002 1:33:34 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/12/2002 1:33:34 PM

#:13 [gcasserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ThreadCreationTime : 4-28-2005 9:59:38 AM
BasePriority : Idle
FileSize : 462 KB
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
OriginalFilename : gcasServ.exe
ProductName : Microsoft AntiSpyware (Beta 1)
Created on : 2/11/2005 2:32:22 AM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 2/11/2005 2:32:22 AM

#:14 [emia.exe]
FilePath : C:\Documents and Settings\DR. MILLER\Application Data\
ThreadCreationTime : 4-28-2005 9:59:38 AM
BasePriority : Normal
FileSize : 81 KB
Created on : 1/13/2005 3:43:54 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 4/27/2005 10:27:56 PM

#:15 [hotsync.exe]
FilePath : C:\Program Files\Sony Handheld\
ThreadCreationTime : 4-28-2005 9:59:38 AM
BasePriority : Normal
FileSize : 292 KB
FileVersion : 4.0.4
ProductVersion : 4.1.0
Copyright : Copyright
CompanyName : Palm, Inc.
FileDescription : HotSync
InternalName : HotSync
OriginalFilename : Hotsync.exe
ProductName : HotSync
Created on : 8/9/2002 7:36:20 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/9/2002 7:36:20 PM

#:16 [gcasdtserv.exe]
FilePath : C:\Program Files\Microsoft AntiSpyware\
ThreadCreationTime : 4-28-2005 9:59:45 AM
BasePriority : Normal
FileSize : 734 KB
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
OriginalFilename : gcasDtServ.exe
ProductName : Microsoft AntiSpyware (Beta 1)
Created on : 2/11/2005 2:32:22 AM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 2/11/2005 2:32:22 AM

#:17 [packethsvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 10:00:40 AM
BasePriority : Normal
FileSize : 63 KB
FileVersion : 6, 0, 0, 6
ProductVersion : 6, 0, 0, 6
Copyright : Copyright (C) America Online, Inc. 1999 - 2001
CompanyName : America Online, Inc.
FileDescription : Virtual Adapter Service
InternalName : Virtual Adapter Service
OriginalFilename : PackethSvc.exe
ProductName : America Online
Created on : 11/7/2003 9:59:14 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/9/2001 10:18:30 PM

#:18 [brmfrmps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-28-2005 10:00:40 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 1.10.10.144
ProductVersion : 1.45.11.403
Copyright : Copyright (C) 2002 brother
CompanyName : Brother Industries, Ltd.
FileDescription : Brother Popup Suspend service ( for R/M )
InternalName : Brother Popup Suspend service for Brother MFL-PRO Resource Manager
OriginalFilename : BrmfRmps.exe
ProductName : Brother MFL Pro
Created on : 6/2/2004 3:43:16 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 3/19/2003 9:43:00 PM

#:19 [defwatch.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ThreadCreationTime : 4-28-2005 10:00:40 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 7/30/2002 3:36:00 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/30/2002 3:36:00 PM

#:20 [ipsecmon.exe]
FilePath : C:\Program Files\WatchGuard\Mobile User VPN\
ThreadCreationTime : 4-28-2005 10:00:40 AM
BasePriority : Normal
FileSize : 24 KB
FileVersion : 9.0.3 (Build 2)
Copyright : (c) 1997-2002 SafeNet, Inc. All rights reserved.
CompanyName : SafeNet
FileDescription : IPSecMon Service Application
InternalName : IPSecMon
OriginalFilename : IpSecMon.exe
ProductName : SafeNet VPN Client
Created on : 11/4/2003 4:36:12 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 2/10/2003 7:11:54 PM

#:21 [rtvscan.exe]
FilePath : C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\
ThreadCreationTime : 4-28-2005 10:00:40 AM
BasePriority : Normal
FileSize : 560 KB
FileVersion : 8.00.00.9374
ProductVersion : 8.00.00.9374
Copyright : Copyright (C) Symantec Corporation 1991-2002
CompanyName : Symantec Corporation
FileDescription : Symantec AntiVirus
ProductName : Symantec AntiVirus
Created on : 7/30/2002 3:40:44 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/30/2002 3:40:44 PM

#:22 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 10:00:46 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/9/2001 4:36:44 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

#:23 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-28-2005 10:02:09 AM
BasePriority : Normal
FileSize : 111 KB
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 9/9/2001 4:50:42 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/3/2004 6:02:20 PM

#:24 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 4-28-2005 10:37:51 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/8/2004 6:38:25 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/13/2003 2:00:20 AM

#:25 [wmiapsrv.exe]
FilePath : C:\WINDOWS\System32\wbem\
ThreadCreationTime : 4-28-2005 10:38:45 AM
BasePriority : Normal
FileSize : 114 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : WMI Performance Adapter Service
InternalName : WmiApSrv.exe
OriginalFilename : WmiApSrv.exe
ProductName : Microsoft
Created on : 9/9/2001 4:50:32 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 8/18/2001 9:00:00 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

180Solutions Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\180solutions\msbb


ClearSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{60494593-5408-447d-bd5e-a16640d6af99}


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band.1


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.band


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{4e627a1e-bc4b-4faf-8de8-1d9a54d37da3}


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search.1


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : sep.search


Lycos Sidesearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{c30793af-14b2-4300-8b5d-4bfa3987050e}


PeopleOnPage Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\Apropos


Virtumundo Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\EARN


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 10
Objects found so far: 10


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 10


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : dr. miller@tickle[1].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 7/14/2004 2:55:54 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/30/2004 1:49:04 PM



Tracking Cookie Object recognized!
Type : File
Data : dr. miller@2o7[1].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 6/29/2004 6:27:52 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 6/29/2004 6:30:48 PM



Tracking Cookie Object recognized!
Type : File
Data : dr. miller@casalemedia[1].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 1/13/2005 4:04:41 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 1/13/2005 4:04:42 PM



Tracking Cookie Object recognized!
Type : File
Data : dr. miller@tickle[3].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 1/13/2005 3:48:22 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 1/13/2005 3:48:24 PM



Tracking Cookie Object recognized!
Type : File
Data : dr. miller@2o7[3].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 1/13/2005 3:44:52 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 1/13/2005 3:44:54 PM



Tracking Cookie Object recognized!
Type : File
Data : dr. miller@casalemedia[2].txt
Object : C:\Documents and Settings\DR. MILLER\Cookies\

Created on : 7/19/2004 7:06:32 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/19/2004 7:06:34 PM


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PeopleOnPage Object recognized!
Type : File
Data : sscdss.exe
Object : C:\WINDOWS\System32\
FileSize : 108 KB
Created on : 7/30/2004 1:47:47 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/30/2004 1:46:36 PM



SahAgent Object recognized!
Type : File
Data : sahagent1018.exe
Object : C:\WINDOWS\System32\
FileSize : 53 KB
Created on : 7/15/2004 1:36:32 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 7/15/2004 1:36:34 PM



CoolWebSearch Object recognized!
Type : File
Data : terrabyte.exe
Object : C:\WINDOWS\System32\
FileSize : 124 KB
FileVersion : 2.00.0011
ProductVersion : 2.00.0011
InternalName : terrabyte
OriginalFilename : terrabyte.exe
ProductName : terrabyte
Created on : 4/20/2004 12:51:30 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 4/20/2004 12:51:30 PM




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

ClearSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\URLSearchHooks
Value : {CFBFAE00-17A6-11D0-99CB-00C04FD64497}


PeopleOnPage Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\AutoLoader


PeopleOnPage Object recognized!
Type : Folder
Object : c:\program files\AutoUpdate


CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\AppDat


CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


CoolWebSearch Object recognized!
Type : File
Data : cfg.dat
Object : c:\windows\system32\

Created on : 1/13/2005 3:16:26 PM
Last accessed : 4/28/2005 4:00:00 AM
Last modified : 1/13/2005 3:16:28 PM



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 6
Objects found so far: 25


6:46:45 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:07:36:437
Objects scanned :72705
Objects identified :25
Objects ignored :0
New objects :25
User avatar
mbresnahan
Regular Member
 
Posts: 63
Joined: April 13th, 2005, 9:53 pm
Location: Augusta, GA

Unread postby wng_z3r0 » April 29th, 2005, 4:58 pm

Ok, we need to do these steps:
1. move hijackthis out of the desktop. It should be in its own folder. I would recommend putting it here: c:\hjt
2. Also move the folder called backups. It should be on your desktop. Those are the hijackthis backups incase we need to restore something
3. You need to update your scans before you run them. The newest version of adaware is available here:
http://www.download.com/Ad-Aware-SE-Per ... ag=lst-0-1
4. You also need to download, update, and run spybot
download it here:
http://www.download.com/Spybot-Search-D ... dl&tag=but
5. Finally, download and run cwshredder here:
http://www.intermute.com/spysubtract/cw ... nload.html


post a new hjt log when all of that is done.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 63 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware