Oye! I`m suffering from VIRUS

[sr_ultimate]

Hi this is probably my 3`rd or 4`th post on digit I have BIG problem

here , it`s been 2 months since I have this , I run AVG virus scan it

detescts W32.Parite.B and VBS/Redlof and when I searched other forums

they said its W32.Blaster.Worm and for removal I have to go to symantec

or McAfee website ,but my computer opens the pages , I downloaded

Stinger from Mc Afee and searched but no use . Now see the

Problem

1. My Xp hangs in the middle or restarts .

2. When Computer is started they show many programs want to

connect to the net like :


3. My computer`s look changes , i.e some of the icons are almost

disgusting .


4. When I try to install 98 at start it says Boot record VIRUS

(Y/N) ,when press Y it continues with the installation, then the same

message appears at the installation stage but this time system hangs

5. I cannot install Norton or McAfee as system starts running

DAMN slow .

6. AVG Antivirus do not stand after restart that is it has to be

reinstalled again if PC is restarted.


7. System Hangs when i install Xp sp II

What I have done

1. When I run AVG antivirus it finds W32.Parite and VBS/redlof

and removes them but the problem persists.

This is how my Task manager looks like :


Please tell me some way if you can`t help it this way tell me if
changing the harddisk work?

[Kl@w-24]

Run 'msconfig' and disable th entry 'svchostt.exe' in th Startup tab. This is probably th infected file. Search for th file and delete it. Now run 'Regedit' and search for 'svchostt.exe' and delete all entries related to it. IMPORTANT : Backup ur registry before u do this!!
Also, disable any entries u do not recognise as programs that u hv installed. And, go to [Control Panel]>>[Internet Options] and in th Connections tab, select th 'Never Dial A Connection' radio button. This way, Windows will not ask u to connect to th internet even if some prog requests it.

[sr_ultimate]

1. How Am I supposed to back up the registry?
2. How am I gonna search ,`cause when I search it says " A file required to run the search companion is not working.
3. what about the boot sector Virus.

[Kl@w-24]

[1]Start Regedit and Click on th File menu. Click on Export, give a filename and select th option 'All' in Export Range.

[2]If u can't search, don't worry. Th file is most likely to be in C:\WINDOWS or C:\WINDOWS\SYSTEM32\ Go to those directories and look for th file.

[3]Boot using th Windows XP CD. Press 'r' when setup asks if u want to use th Recovery Console. At th Recovery Console, type fixboot. It will write a new boot-sector to ur drive. Also, type fixmbr to fix ur Master Boot Record. Do this only if there is no other OS installed alongwith XP.

[icecoolz]

Backing up registry:

Start->run
type : regedit

From the window that opens up goto File-> export . Select the location you want to export the file to and save it with some name.

This will back up your registry.

Boot Sector VIRUS should be removed by NAV or McAfee...install it..run it...even if it is slow...let it remove the virus...and then uninstall it...

[JAK]

Hmm...

First make a Mcafee/ Norton Boot Disk with latest Virus Defn on a friends computer
Make a Cold Boot(shut down and turnoff all power to the CPU)
Now bootup with the Floppy and Run a Full scan and hope fully it will get rid of ur Boot sector Virus and any other virus and then try to boot up in windows and see if things are back to normal....

after getting back in windows i wud recomment doin another full scan of ur system using some reliable antivirus with latest Virus definitions....

[IG]

is svchost somekind of absolutely required service by windows...cos my xp pro also has several instances running at the same time...

[it_waaznt_me]

Please post your HijackThis Logfile for better assesment of your problem.

[FunkyB]

hey guys hold on...! ! ! svchost.exe is a windows core process which always runs multiple instances and if u try to stop it, the system will hang up...it is not the infected file...try using norton by attachin ur HDD to another comp and run a full scan...obviously update norton first. u shud get the names of the virus after the scan and then just go to www.symantec.com and download the respective virus removal tools...scan...and u shud be up and runnin soon...best of luck...


oops...soory wildy...hey me am just a non-techie dude ...just thought was helpin...thanx for the info...hopefully i havnt got him into any trouble...

[Wildstyle]

IG & FunkyB: You guys should do your homework before posting! You see, svchost.exe may be a key Windows component, but there *is* a virus out there that makes an infected copy of this file. None other than the Welchia worm. Don't you guys ever read Digit?????? That's where this issue was announced in the Virus alert column.

Here's some info on symptoms & removal (provided that in sr_ultimate's case it is Welchia and not some other variant):

http://www.pchell.com/virus/welchia.shtml

Do as it_waaznt_me thingy, dude. Paste the log the HijackThis creates on your computer and that way we might solve your problem.

[IG]

i had an lsass shutdown an few hours back but my av says there is no infection.the problem did not repeat .heres my hijackthis logfile

Quote:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
F:\Softwares\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E26C00-3490-44C1-9274-0D43D65F02C7}: NameServer = 202.144.10.50 202.144.13.50

[aadipa]

Quote:

Originally Posted by sr_ultimate

1.My Xp hangs in the middle or restarts.

May be virus but it can also be faulty hardware. Check processor temp. and check ur RAM

Quote:

Originally Posted by sr_ultimate

2. When Computer is started they show many programs want to
connect to the net like :

Go to Internet Options by right clicking IE icon on desktop

under connections tab, select, Never dial a connection.

If u have any other browser set as default browser, change the settings these too for not to dial any connection.

Quote:

Originally Posted by sr_ultimate

3. My computer`s look changes , i.e some of the icons are almost disgusting .

I bet this to be a virus.

Quote:

Originally Posted by sr_ultimate

4. When I try to install 98 at start it says Boot record VIRUS (Y/N) ,when press Y it continues with the installation, then the same message appears at the installation stage but this time system hangs

This is Virus protection offered by BIOS.
Whenever Master Boot Record (MBR) of ur HDD changes, u will get this warning.
U can disable this from BIOS.

Quote:

Originally Posted by sr_ultimate

5. I cannot install Norton or McAfee as system starts running DAMN slow .
6. AVG Antivirus do not stand after restart that is it has to be reinstalled again if PC is restarted.

This is due to Virus.


No need to change ur harddisk.

I think one of ur CD from which u install ur applications have these virii
As batty said give ur HijackThis log file.

btw to stop Redlof follow this

First, start msconfig
under startup tab, deselect Kernel.dll as this is virus file.

Now, Go to folder options and select "Show Hidden and Operating system protected files"
Now search for desktop.ini and folder.htt
delete all these files.
Again check for kernel.dll's entry in msconfig
now restart windows. Redlof is removed.

Check again with good antivirus.


About stinger, download latest version of it on some other machine which is not infected with any virus. Now copy it to floppy and then make the floppy read only by seting the switch/ Burn it to cd.
Now run stinger from this read only source.



Best Of Luck....

[#/bin/sh]

download the removal for W32.Parite.B and VBS/Redlof

http://www.pandasoftware.com/download/utilities/

[Kl@w-24]

@FunkyB and IG, see th filename :



It's 'svchostt.exe'. Viruses deliberately use filenames that resemble system files. In this case, th filename is similar to 'svchost.exe'. So, it's not a system process, but a virus.

[IG]

no svchostt here...guess its something else.

[Kl@w-24]

@IG, check this file : C:\WINDOWS\System32\winmon.exe. Is it something u installed ? It is also registered as a service. Check its properties (date created, modified) and also see its description in services ([Start]>>[Run]>>'services.msc).

[it_waaznt_me]

Quote:

Originally Posted by IG

C:\WINDOWS\System32\winmon.exe

You got a virus ... Here is the removal info ..

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.

Quote:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect Lol ..Dont remove it
O4 - HKLM\..\Run: [Windows Monitor] winmon.exe
O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe
O4 - HKCU\..\Run: [Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /Startup
O4 - HKLM\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex

And btw .. You sure you posted the whole log ..? I dont see any DPF info here .. And not the version info too ..

[sr_ultimate]

OK now my whole computer is not working , I`m in Cyber cafe , My computer says disk error , while rebooting XP it has to restart but after restarting it again says boot failure , that means it does not boot now !!!!!!!!!!!!!!!1


MAN I`m Dead

[Kl@w-24]

What did u do ? Explain in detail.

[FunkyB]

@ Kl@w-24
enlightened and humbled...thankfully my task manager seems to show nothin suspicious...

hey can u guys help me out too...we hav a 128k PPPoE net con in office...it was an 'always on' type con. but recently Calcutta Telephones has introduced a dialer as an authentication interface. the prob is...that the con works fine on the machine that it is directly connected to but we cant share it...even after enabling ICS on WinXP Pro and disabling the inbuilt firewall nothin works. also...before the dialer, the main machine was assigned a static ip, now it has dynamic ip...any suggestions or links where i can get more info...do i hav to install a proxy server, and if i hav to which one is the best? we hav about 12 machines on lan right now and want to share the con with only 2...help plz...

[IG]

@it_wazzant_me....dude i made heap big mistake and removed the title line from my ie.dont remeber how toi put it back on.how do i do it???

[IG]

@it _wazznt_me: nvm..got it back on.i remeoved the first few lines from my logfile cos i dint think i wud be needed.
i got the removal tool from sophos and ran it.did not detect anythin.neither did stinger.only thing is avg keeps warning that i got agobot in my system .removes it ever time i run it,but warns again.a few days back my firewalls stopped working.i used zonealarm at first..but it gave trouble so i shifted to sygate..that gave trouble as well so i tried kerio last night.thing is as soon as i use the firewall to block winmon and lsa shell export from acessing the net,my connection stops working.its online but no data flow.and the scan dont detect sasser either.
anyways i have run avg antivirus,mcaffee stinger and the sdbot removal tool from sophos.removed the stuff u told me to remove using hijack this.
here's my logfile

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 11:12:39 PM, on 9/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
F:\Softwares\sdbotgui.com
F:\Softwares\HijackThis.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mistakes Are Always Perfect
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3E26C00-3490-44C1-9274-0D43D65F02C7}: NameServer = 202.144.10.50 202.144.66.6

is it time i formatted again??

[it_waaznt_me]

Quote:

Originally Posted by IG

Logfile of HijackThis v1.97.7 <-- Btw .. This is an ancient version of HJT ..
Platform: Windows XP SP1 (WinNT 5.01.2600) <-- You should install SP2

C:\WINDOWS\System32\winmon.exe <-- Kill this process first

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.

Quote:

O4 - HKCU\..\RunOnce: [Windows Monitor] winmon.exe
O4 - HKCU\..\RunOnce: [ Windows & Internet Cleaner] C:\Program Files\Windows & Internet Cleaner\WICleaner.exe /ErIEIndex

And did you applied the Microsoft Patch described Here ..?

[IG]

tried killing winmon not dying...sdbot.gui is the sophos tool to remove sdbot infection.
sp2 mite not install...no need to elaborate
where can i get a more recent version of hjt? wasnt it on a digit cd sometime back?
btw is there a prob with the windows cleaner? i use it to clean the cookies and all at startup.

[it_waaznt_me]

HijackThis can be found here ... I was editing the post while you replied to it ... ...


And Btw .. Anything is possible ..

[sr_ultimate]

yaar whole of my computer is now dumped , I deleted the svchostt and did the fix mbr but now my whole computer wont start .
Now it goes like this

it does not take 98 as before and XP is gone too
I think it will be better to buy a new hard disk ,will it cure it

[IG]

kaspersky dont find a virus but avg keeps finding agobot and removing it everytime i run it....format here i come!!

[Wildstyle]

And remember, you may remove Redlof (if that's what you got) successfully from memory, but it WILL stay hidden inside any HTML files you have got, as it plants it's code inside every HTML page it can find. If you even view those HTML files in your browser, you'll get the virus again.

So keep an anti-virus installed and running. Enable any live protection it has. Please keep an anti-virus running, as the performance hit is well worth the security it offers in those days of sneaky viruses.

[FunkyB]

hi there ppl need ur help big time...!
my friends comp has been infected by spyware and we just cant rid of it. hav used both AdAware and Spybot...they both report some infection each time and then clean them but it keeps coimn back. everytime i try to surf, mi IE gets redirected to some page claimin to help me remove the spyware. spybot shows an assortment of names and cleans them but one of the called dialler just doesnt go. spybot says that it cant remove it. hav updated both ad aware and spybot but to no avail. am postin the HiJackThis and the AdAware log files. plz help asap...

Quote:

Logfile of HijackThis v1.97.7
Scan saved at 00:10:18, on 24/09/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\soundman.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray. exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [winspool] C:\WINNT\System32\winspoolx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: Yahoo! Chat 1.3 - http://jcs.chat.dcn.yahoo.com/c174/chat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...173.0277546296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B55D300-6B8E-43B3-B9D0-9D173F34C4B6}: NameServer = 172.16.0.1,202.54.9.1

Quote:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :23 September 2004 23:53:09
Created with Ad-aware Personal, free for private use.
Using reference-file :01R341 14.09.2004
__________________________________________________ ____

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R341 14.09.2004
Internal build : 275
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1336435 Bytes
Signature data size : 1314779 Bytes
Reference data size : 21592 Bytes
Signatures total : 29077
Target categories : 10
Target families : 542

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:39 %
Total physical memory:228848 kb
Available physical memory:88872 kb
Total page file size:732304 kb
Available on page file:591972 kb
Total virtual memory:2097024 kb
Available virtual memory:2054672 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


23-09-2004 23:53:09 - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 23-09-2004 18:16:30
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:39
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:41
BasePriority : Normal
FileSize : 86 KB
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:06:36
Last modified : 22/07/2002 06:35:04

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:41
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.5430
ProductVersion : 5.00.2195.5430
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:16:41
Last modified : 22/07/2002 06:35:04

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:46
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:6 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:16:47
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.01.10
ProductVersion : 1.01.10
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 12/09/2002 14:22:38
Last accessed : 23/09/2004 18:19:19
Last modified : 12/09/2002 14:22:38

#:7 [nisum.exe]
FilePath : C:\Program Files\Norton Internet Security\
ThreadCreationTime : 23-09-2004 18:16:48
BasePriority : Normal
FileSize : 137 KB
FileVersion : 6.01.1005
ProductVersion : 6.01.1005
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security NISUM
InternalName : NISUM
OriginalFilename : NISUM.exe
ProductName : Norton Internet Security
Created on : 20/09/2002 21:15:12
Last accessed : 23/09/2004 18:06:44
Last modified : 20/09/2002 21:15:12

#:8 [lexbces.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 278 KB
FileVersion : 5,12,00,00
ProductVersion : 5,12,00,00
Copyright : (C) 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 29/01/2003 11:06:41
Last accessed : 23/09/2004 18:16:53
Last modified : 07/06/2000 07:08:06

#:9 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.4299
ProductVersion : 5.00.2195.4299
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 29/01/2003 16:11:19
Last accessed : 23/09/2004 18:16:53
Last modified : 22/07/2002 06:35:04

#:10 [lexpps.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:16:53
BasePriority : Normal
FileSize : 166 KB
FileVersion : 5,12,00,00
ProductVersion : 5,12,00,00
Copyright : (C) 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 29/01/2003 11:06:41
Last accessed : 23/09/2004 18:16:53
Last modified : 07/06/2000 07:04:40

#:11 [cdantsrv.exe]
FilePath : C:\WINNT\System32\DRIVERS\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 31 KB
FileVersion : 3.22.020
ProductVersion : 3.22.020 Windows NT 2000/12/15
Copyright : Copyright (c) C-Dilla and Macrovision 1993-2000
CompanyName : C-Dilla Ltd
FileDescription : C-Dilla RTS Service
InternalName : CDANTSRV
OriginalFilename : CDANTSRV.EXE
ProductName : CD-Secure/CD-Compress Windows NT
Created on : 15/01/2001 09:50:24
Last accessed : 23/09/2004 18:16:54
Last modified : 15/01/2001 09:50:24

#:12 [ccpxysvc.exe]
FilePath : C:\Program Files\Norton Internet Security\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 33 KB
FileVersion : 6.01.1005
ProductVersion : 6.01.1005
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Internet Security Proxy Service
InternalName : ccPxySvc
OriginalFilename : ccPxySvc.exe
ProductName : Norton Internet Security
Created on : 20/09/2002 21:13:50
Last accessed : 23/09/2004 18:23:10
Last modified : 20/09/2002 21:13:50

#:13 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:16:54
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:14 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 23-09-2004 18:16:55
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 04:37:30
Last accessed : 23/09/2004 18:16:55
Last modified : 23/02/2001 04:37:30

#:15 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 23-09-2004 18:16:56
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.00.1104
ProductVersion : 9.00.1104
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 19/08/2002 17:05:38
Last accessed : 23/09/2004 18:19:19
Last modified : 19/08/2002 17:05:38

#:16 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 23-09-2004 18:17:01
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 23/09/2004 15:30:00
Last accessed : 23/09/2004 18:06:51
Last modified : 14/08/2002 00:33:00

#:17 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:04
BasePriority : Normal
FileSize : 65 KB
FileVersion : 5.00.2195.3649
ProductVersion : 5.00.2195.3649
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31/07/2004 10:32:30
Last accessed : 23/09/2004 18:17:04
Last modified : 22/07/2002 06:35:04

#:18 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:05
BasePriority : Normal
FileSize : 115 KB
FileVersion : 4.71.2195.1
ProductVersion : 4.71.2195.1
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 31/07/2004 10:32:23
Last accessed : 23/09/2004 18:17:05
Last modified : 22/07/2002 06:35:04

#:19 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 23-09-2004 18:17:05
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 31/07/2004 10:32:44
Last accessed : 23/09/2004 18:17:05
Last modified : 22/07/2002 06:35:04

#:20 [mspmspsv.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:17:06
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft (R) DRM
Created on : 29/01/2003 11:35:55
Last accessed : 23/09/2004 18:17:06
Last modified : 01/05/2001 11:36:22

#:21 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 23-09-2004 18:17:07
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:22 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:17:07
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 07/12/1999 04:00:00
Last accessed : 23/09/2004 18:23:09
Last modified : 07/12/1999 04:00:00

#:23 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 23-09-2004 18:21:46
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 31/07/2004 10:32:38
Last accessed : 23/09/2004 18:20:33
Last modified : 22/07/2002 06:35:04

#:24 [symtray.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:21:46
BasePriority : Normal
FileSize : 84 KB
FileVersion : 2003.6.49
ProductVersion : 2003.6.49
Copyright : Copyright (c) 1997-2002 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton SystemWorks SymTray
InternalName : SymTray.exe
OriginalFilename : SymTray.exe
ProductName : Norton SystemWorks
Created on : 28/08/2002 19:14:54
Last accessed : 23/09/2004 18:21:47
Last modified : 28/08/2002 19:14:54

#:25 [soundman.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 121 KB
FileVersion : 4.1
ProductVersion : 4.1
Copyright : Copyright (c) 2000-2001 Avance Logic, Inc.
CompanyName : Avance Logic, Inc.
FileDescription : Avance Sound Effect Manager
InternalName : SoundMan
OriginalFilename : SoundMan.exe
ProductName : Avance Sound Effect Manager v.4.1
Created on : 29/01/2003 11:00:12
Last accessed : 23/09/2004 18:20:46
Last modified : 16/01/2002 16:34:52

#:26 [lxsupmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 775 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Lexmark
FileDescription : Supplies Monitor
InternalName : LXSUPMON
OriginalFilename : LXSUPMON.RC
ProductName : Lexmark Supplies Monitor
Created on : 30/04/2003 11:49:00
Last accessed : 23/09/2004 18:20:47
Last modified : 07/06/2000 07:31:38

#:27 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.02.05
ProductVersion : 1.02.05
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 20/09/2002 21:12:50
Last accessed : 23/09/2004 18:20:49
Last modified : 20/09/2002 21:12:50

#:28 [createcd.exe]
FilePath : C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 256 KB
FileVersion : 4.02S (287)
ProductVersion : 4.02S (287)
Copyright : Copyright (c) 1996-2000 Adaptec, Inc.
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator
Created on : 24/03/2004 07:49:17
Last accessed : 23/09/2004 18:21:33
Last modified : 24/03/2004 07:49:50

#:29 [ctfmon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 8 KB
FileVersion : 1.00.2409.7 built by: Lab06_N
ProductVersion : 1.00.2409.7
Copyright : Copyright (C) Microsoft Corporation. 1981-2001
CompanyName : Microsoft Corporation
FileDescription : Cicero Loader
InternalName : CICLOAD
OriginalFilename : CICLOAD.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 20/02/2001 07:39:54
Last accessed : 23/09/2004 18:17:30
Last modified : 20/02/2001 07:39:54

#:30 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 23-09-2004 18:21:47
BasePriority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0133
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 18/04/2004 17:15:08
Last accessed : 23/09/2004 18:20:19
Last modified : 18/04/2004 17:15:08

#:31 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\Yahoo!\MESSEN~1\
ThreadCreationTime : 23-09-2004 18:21:54
BasePriority : Normal
FileSize : 88 KB
Created on : 23/09/2004 15:51:46
Last accessed : 23/09/2004 18:07:47
Last modified : 21/05/2004 07:19:52

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 23-09-2004 18:22:58
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 10/08/2004 19:43:12
Last accessed : 23/09/2004 17:27:42
Last modified : 12/07/2003 15:30:20

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : plugin6.dnserrobj.1


CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{444a5674-ff85-45d4-9ae2-4199d8d70c85}


Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 3


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.windowws.

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.windowws.cc/hp.htm?id=632"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://www.windowws.cc/hp.htm?id=632"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.windowws.cc

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.windowws.cc/hp.htm?id=632"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "http://www.windowws.cc/hp.htm?id=632"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Barabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "about:blank"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistantabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Category : Malware
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 4
Objects found so far: 7


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : File
Data : 2h8cer1lzoi96.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 07:56:05
Last accessed : 23/09/2004 18:24:40
Last modified : 10/08/2004 07:56:05




CoolWebSearch Object recognized!
Type : File
Data : 2z2v5cwyi9bs.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 07:56:02
Last accessed : 23/09/2004 18:24:40
Last modified : 10/08/2004 07:56:02



CoolWebSearch Object recognized!
Type : File
Data : e18u4jzix8n6r.dll
Category : Malware
Comment :
Object : C:\WINNT\System32\
FileSize : 56 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2004
FileDescription : plugin6 Module
InternalName : plugin6
OriginalFilename : plugin6.DLL
ProductName : plugin6 Module
Created on : 10/08/2004 18:21:17
Last accessed : 23/09/2004 18:24:45
Last modified : 10/08/2004 18:21:17




Scanning Hosts file(C:\WINNT\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 10



Possible Browser Hijack attempt Object recognized!
Type : File
Data : free xxx pics & movies.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://gotosex4all.com
Object : C:\Documents and Settings\Administrator\Favorites\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:34




Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{0D721150-AEF3-457B-B03A-5097B623CE45}


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : uninstal


CoolWebSearch Object recognized!
Type : File
Data : free xxx pics & movies.url
Category : Malware
Comment :
Object : c:\documents and settings\administrator\favorites\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:34



CoolWebSearch Object recognized!
Type : File
Data : ieengine.exe
Category : Malware
Comment :
Object : c:\program files\internet explorer\

Created on : 20/08/2004 06:24:14
Last accessed : 23/09/2004 18:24:58
Last modified : 23/09/2004 17:20:35



Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 5
Objects found so far: 16


23:54:59 Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:01:49:27
Objects scanned :45188
Objects identified :16
Objects ignored :0
New objects :16

[it_waaznt_me]

To proceed with your HijackThis log, Run HijackThis again and put a CheckMark next to these entries and Click on Fix Checked.
Please make sure that all Internet Explorer and Windows Explorer windows are closed.

Quote:

Originally Posted by ****

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmp.exe <-- Kill this process first from Task Manager and delete the file after reboot..

Quote:

04 - HKLM\..\Run: [winspool] C:\WINNT\System32\winspoolx.exe
O4 - Global Startup: winlogin.exe <-- Virus
O15 - Trusted Zone: *.greg-search.com