mbbradford
asked on
Cant get ride of Adware-MemWatcher
I have been infected with a trojan which has been cleaned up, but in the process also picked up a lot of adware. Spybot and Macaffee cannot permamently delete this, although they both appear to. With spybot, they are detected and deleted but come right back. WIth Macaffee, they connot be cleaned or deleted, but they can be quaranteened and later deleted with "manage quaranteened files" but they still come fight back.
What can I do?
Here is a "hijack this" log:
Logfile of HijackThis v1.97.7
Scan saved at 1:35:55 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\System32\hkcmd. exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\PROGRA~1\mcafee.com\age nt\mcagent .exe
C:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex e
C:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
C:\WINDOWS\System32\IEHost .exe
c:\progra~1\mcafee.com\vso \mcvsescn. exe
C:\Program Files\Dell\Support\Alert\b in\NotifyA lert.exe
C:\WINDOWS\System32\senrca ll.exe
C:\WINDOWS\system32\pcs\pc svc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Yahoo!\browser\ybrwi con.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon .exe
C:\PROGRA~1\CLOCKS~1\Sync. exe
C:\PROGRA~1\COMMON~1\AOL\A CS\acsd.ex e
C:\PROGRA~1\Yahoo!\browser \ycommon.e xe
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\WINDOWS\System32\wuaucl t.exe
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WvyQ4U x.exe
C:\WINDOWS\System32\Qife4. exe
C:\Documents and Settings\Dell Desktop\Local Settings\Temp\Temporary Directory 1 for cwshredder.zip\CWShredder. exe
D:\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINDOWS\System32 \SearchBar .htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6 BB168A7031 0} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-2 9649C80111 D} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-0 0000000022 1} - C:\PROGRA~1\Lycos\IEagent\ CSIE.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2 A3C64AE693 9} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3 D4BF457D4C 8} - C:\Program Files\Lycos\Sidesearch\sid esearch132 18.dll (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1 AA7A44296D A} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-7 86FA05C83A B} - C:\Program Files\SysAI\AproposPlugin. dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Common\ycomp5 _1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-2 9649C80111 D} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6 BB168A7031 0} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C 581AC420D4 1} - C:\PROGRA~1\COMMON~1\WinTo ols\btiein .dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Common\ycomp5 _1_6_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age nt\McUpdat e.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex e
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs o\mcvsshld .exe"
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\ Loader.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost .exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r 9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca ll.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc h.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pc svc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi con.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\age nt\mcregwi z.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit .exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync. exe /q
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun cer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9 ADE19E19EC 3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.3273611111
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6 0DB54C1000 0} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-2 8BB9EB2281 E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6 4D10A7E247 9} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
What can I do?
Here is a "hijack this" log:
Logfile of HijackThis v1.97.7
Scan saved at 1:35:55 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\WINDOWS\System32\hkcmd.
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tf
C:\PROGRA~1\mcafee.com\age
C:\Program Files\MusicMatch\MusicMatc
C:\Program Files\MUSICMATCH\MUSICMATC
C:\Program Files\Common Files\Dell\EUSW\Support.ex
C:\PROGRA~1\mcafee.com\vso
C:\WINDOWS\System32\IEHost
c:\progra~1\mcafee.com\vso
C:\Program Files\Dell\Support\Alert\b
C:\WINDOWS\System32\senrca
C:\WINDOWS\system32\pcs\pc
C:\Program Files\Common Files\Dpi\dpi.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Yahoo!\browser\ybrwi
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\ctfmon
C:\PROGRA~1\CLOCKS~1\Sync.
C:\PROGRA~1\COMMON~1\AOL\A
C:\PROGRA~1\Yahoo!\browser
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso
C:\WINDOWS\System32\wuaucl
C:\Program Files\SysAI\SysAI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WvyQ4U
C:\WINDOWS\System32\Qife4.
C:\Documents and Settings\Dell Desktop\Local Settings\Temp\Temporary Directory 1 for cwshredder.zip\CWShredder.
D:\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6
R3 - URLSearchHook: IncrediFindBHO Class - {4FC95EDD-4796-4966-9049-2
O2 - BHO: (no name) - {00000000-0000-0000-0000-0
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-7
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\PROGRA~1\Lycos\IEagent\
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pc
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\age
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {D18F962A-3722-4B59-B08D-2
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Something else to Try is
Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.
If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
Sart > Run msconfig
Click on the tab marked "Startup"
Click the Disable All button.
If the problem no longer persists then one of the items in the starup is the culprit you just need to track it down.
I am not sure what these are
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost .exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r 9.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca ll.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc h.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\NulP8r
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc
Well those first three files I listed are definetly link to a virus
ASKER
Thanks Crazyone,
I disabled everything in the start up menu, and has a slowdown in the popup adds. I will wait a while and see it that takes care of that problem.
I also deleted the top three files you mentioned with hijackthis. Lets see what happens.
I need to learn more about this stuff. It there a book or a website that has a detailed explanation that I should get?
Thanks,
Bruce
I disabled everything in the start up menu, and has a slowdown in the popup adds. I will wait a while and see it that takes care of that problem.
I also deleted the top three files you mentioned with hijackthis. Lets see what happens.
I need to learn more about this stuff. It there a book or a website that has a detailed explanation that I should get?
Thanks,
Bruce
Hi!
You have PeperA trojan, among other things.
We've found, usually it's best to deal with that first.
You can download one of these tools from:
http://www.mjc1.com/files/peperpage/uninst.exe
http://home.iprimus.com.au/mbuchan/peperuninst.exe
I suggest trying the first one initially - when you run it, make sure you're online it may try to access the internet - let it.
Since you're running XP you'll probably want disable System Restore, so that nothing is hiding in there.
After you run it reboot and post a new HijackThis log for us to look at.
Also it's a good idea to place HijackThis in it's own folder - centralized place for backups and logs.
Good luck!
You have PeperA trojan, among other things.
We've found, usually it's best to deal with that first.
You can download one of these tools from:
http://www.mjc1.com/files/peperpage/uninst.exe
http://home.iprimus.com.au/mbuchan/peperuninst.exe
I suggest trying the first one initially - when you run it, make sure you're online it may try to access the internet - let it.
Since you're running XP you'll probably want disable System Restore, so that nothing is hiding in there.
After you run it reboot and post a new HijackThis log for us to look at.
Also it's a good idea to place HijackThis in it's own folder - centralized place for backups and logs.
Good luck!
ASKER
Hi rossfingal,
Thanks for your help.
I should mention first that since the start of this thread, I have reinstalled windows and drivers, updated spybot, and cleaned up many new things that it found.
But I still have 6 programs with random names that cannot be deleted, and when I see them as active processes and disable them, they come back active in a few seconds. Devils.
I have done as you asked above. The peperpage uninstall ran in a command window in a blink, so I cant say if it ended with a "congradulations" or a "sucks to be you" message, but at least is seems to have done what was expected. I then linked to the second mbuchan peperuninst.exe but the link was not available.
Then I rebuted as asked and moved hijack to its own folder, and here is the log:
Also, I recognize the qife4 as one of the bad guys
also temp/q.exe
also virtualbounder.exe
Logfile of HijackThis v1.97.7
Scan saved at 11:28:54 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\COMMON~1\AOL\A CS\acsd.ex e
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex e
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell\Support\Alert\b in\NotifyA lert.exe
C:\Program Files\Yahoo!\browser\ybrwi con.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\pcs\pc svc.exe
C:\PROGRA~1\Yahoo!\browser \ycommon.e xe
C:\WINDOWS\System32\senrca ll.exe
C:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
c:\program files\mcafee.com\agent\mca gent.exe
c:\progra~1\mcafee.com\vso \mcvsescn. exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Qife4. exe
C:\WINDOWS\System32\hkcmd. exe
C:\WINDOWS\System32\Qife4. exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost .exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ctfmon .exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\hijackthis\HijackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINDOWS\System32 \SearchBar .htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-2 9649C80111 D} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6 BB168A7031 0} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {00000000-0000-0000-0000-0 0000000022 1} - C:\PROGRA~1\Lycos\IEagent\ CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1 AA7A44296D A} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-2 9649C80111 D} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6 BB168A7031 0} - C:\PROGRA~1\INCRED~1\BHO\I NCFIN~1.DL L (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3 D5FEC94A18 3} - C:\DOCUME~1\DELLDE~1\LOCAL S~1\Temp\W ToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex e
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\YjpWR9 t0.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi con.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pc svc.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc h.exe
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca ll.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs o\mcvsshld .exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age nt\McUpdat e.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost .exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync. exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit .exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun cer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9 ADE19E19EC 3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6 0DB54C1000 0} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-2 8BB9EB2281 E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6 4D10A7E247 9} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
Thanks for your help.
I should mention first that since the start of this thread, I have reinstalled windows and drivers, updated spybot, and cleaned up many new things that it found.
But I still have 6 programs with random names that cannot be deleted, and when I see them as active processes and disable them, they come back active in a few seconds. Devils.
I have done as you asked above. The peperpage uninstall ran in a command window in a blink, so I cant say if it ended with a "congradulations" or a "sucks to be you" message, but at least is seems to have done what was expected. I then linked to the second mbuchan peperuninst.exe but the link was not available.
Then I rebuted as asked and moved hijack to its own folder, and here is the log:
Also, I recognize the qife4 as one of the bad guys
also temp/q.exe
also virtualbounder.exe
Logfile of HijackThis v1.97.7
Scan saved at 11:28:54 PM, on 5/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\COMMON~1\AOL\A
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Dell\EUSW\Support.ex
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Dell\Support\Alert\b
C:\Program Files\Yahoo!\browser\ybrwi
C:\Program Files\Common Files\Dpi\dpi.exe
C:\WINDOWS\system32\pcs\pc
C:\PROGRA~1\Yahoo!\browser
C:\WINDOWS\System32\senrca
C:\PROGRA~1\mcafee.com\vso
C:\Program Files\MUSICMATCH\MUSICMATC
C:\Program Files\MusicMatch\MusicMatc
c:\program files\mcafee.com\agent\mca
c:\progra~1\mcafee.com\vso
C:\WINDOWS\system32\dla\tf
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\Qife4.
C:\WINDOWS\System32\hkcmd.
C:\WINDOWS\System32\Qife4.
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINDOWS\System32\IEHost
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ctfmon
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\wuaucl
C:\hijackthis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-2
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6
O2 - BHO: (no name) - {00000000-0000-0000-0000-0
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {4FC95EDD-4796-4966-9049-2
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: (no name) - {5D60FF48-95BE-4956-B4C6-6
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\YjpWR9
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pc
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {D18F962A-3722-4B59-B08D-2
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi rossfingal,
Thanks for the response, I'll do this as soon as I get home from work tonight.
Regards,
Bruce
Thanks for the response, I'll do this as soon as I get home from work tonight.
Regards,
Bruce
Cleaning your computer - and protecting it in the future - can't be answered with one issue.
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
As you can see in my url below there are at least 7 different issues, where you should decide 1 of each, or else you does'nt protect your computer at all.
The reason is, that the many different programs not always protects against each other, and each of them does'nt protect equally.
It's very important, that you study all of these issues in my knowledgebase (some of them are freeware):
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: I'm using the Trend Micro virus-suite, and SoftScan , and haven't got any of my servers or computers infected since 1999.
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi rossfingal,
I'm halfway there. I downloaded, configured, and ran ad-aware per your instructions. I don't know what to remove, so I'm posting the log. After posting this message, I will "remove all" and complete your origional instructions. Thanks again for your help.
Here is the log file:
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, May 03, 2004 12:45:04 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R301 03.05.2004
__________________________ __________ __________ ________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455
5-3-2004 12:35:55 PM Performing Webupdate...
Installing Update...
Reference file loaded:
Reference Number : 01R301 03.05.2004
Internal build : 233
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1082422 Bytes
Signature data size : 1064020 Bytes
Reference data size : 18338 Bytes
Signatures total : 23868
Target categories : 10
Target families : 460
5-3-2004 12:36:04 PM Success.
Update successfully downlodaded and installed.
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:260096 kb
Available physical memory:74568 kb
Total page file size:640412 kb
Available on page file:403788 kb
Total virtual memory:2097024 kb
Available virtual memory:2048712 kb
OS:
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result
5-3-2004 12:45:04 PM - Scan started. (Custom mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-3-2004 4:16:53 PM
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:16:56 PM
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 7/16/2003 8:44:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:44:23 PM
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 7/16/2003 8:32:16 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:32:16 PM
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM
#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:28:11 PM
Last accessed : 5/3/2004 4:28:47 PM
Last modified : 7/16/2003 8:28:11 PM
#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 7/16/2003 8:46:20 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:46:20 PM
#:9 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 5-3-2004 4:17:07 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 10:21:10 PM
Last accessed : 5/3/2004 4:17:07 PM
Last modified : 10/7/2003 10:21:10 PM
#:10 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\b in\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 10:20:18 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 10/7/2003 10:20:18 PM
#:11 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 360 KB
Created on : 5/2/2004 2:20:27 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 9/11/2002 1:26:26 AM
#:12 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 5/2/2004 2:14:34 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 7/11/2003 6:51:16 PM
#:13 [dpi.exe]
FilePath : C:\Program Files\Common Files\Dpi\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
Warning! PromulGate object found in memory(C:\Program Files\Common Files\Dpi\dpi.exe)
PromulGate Object recognized!
Type : Process
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
"dpi.exe"Process terminated successfully.
#:14 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser \
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 5/2/2004 2:14:08 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 7/14/2003 1:55:44 PM
#:15 [pcsvc.exe]
FilePath : C:\WINDOWS\system32\pcs\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
Warning! PromulGate object found in memory(C:\WINDOWS\system32 \pcs\pcsvc .exe)
PromulGate Object recognized!
Type : Process
Data : pcsvc.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\pcs\
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
"pcsvc.exe"Process terminated successfully.
#:16 [senrcall.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 84 KB
Created on : 5/1/2004 8:10:58 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 5/1/2004 8:10:39 PM
#:17 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso \
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:17:10 PM
Last modified : 8/18/2003 2:50:34 AM
#:18 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso \
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:29 PM
Last accessed : 5/3/2004 4:15:59 PM
Last modified : 9/28/2003 6:47:00 PM
#:19 [mcagent.exe]
FilePath : c:\program files\mcafee.com\agent\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 1/7/2004 5:26:14 PM
Last accessed : 5/3/2004 4:17:11 PM
Last modified : 12/8/2003 8:38:52 PM
#:20 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.10.1006
ProductVersion : 8.10.1006
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:12 PM
Last modified : 10/6/2003 4:05:40 PM
#:21 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\A CS\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 1344 KB
FileVersion : 1,0,17,5
ProductVersion : 1,0,17,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 12/30/2003 4:37:09 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/6/2003 10:58:26 PM
#:22 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatc h Jukebox\
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:13 PM
Last modified : 10/6/2003 4:05:40 PM
#:23 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso \
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/8/2003 11:04:38 PM
#:24 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 6/20/2003 5:25:00 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 6/20/2003 5:25:00 AM
#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:18 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 12/30/2003 4:37:15 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 1/10/2003 11:13:04 PM
#:26 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.05b
Copyright : Copyright
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
Created on : 12/30/2003 4:35:55 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 8/6/2003 7:04:00 AM
#:27 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.24 02/24/2003 18:29:41
ProductVersion : 3.5.24 02/24/2003 18:29:41
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 6/2/2003 11:00:30 AM
#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:25 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 10/2/2003 6:19:44 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 10/2/2003 6:19:44 PM
#:29 [wtoolsa.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:27 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:41 AM
Last accessed : 5/3/2004 4:17:27 PM
Last modified : 4/30/2004 2:48:08 PM
#:30 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso \
ThreadCreationTime : 5-3-2004 4:17:28 PM
BasePriority : High
FileSize : 220 KB
Created on : 1/23/2004 1:53:46 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 3/13/2002 1:50:34 PM
#:31 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:26:03 PM
Last accessed : 5/3/2004 4:17:30 PM
Last modified : 7/16/2003 8:26:03 PM
#:32 [wtoolss.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 75 KB
Created on : 5/3/2004 12:11:45 AM
Last accessed : 5/3/2004 4:17:31 PM
Last modified : 4/20/2004 12:15:06 PM
#:33 [wsup.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:31 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:42 AM
Last accessed : 5/3/2004 4:17:38 PM
Last modified : 4/30/2004 2:48:08 PM
#:34 [qife4.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:46 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:20:06 PM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:20:06 PM
#:35 [wvyq4ux.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:49 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:50:01 AM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:50:01 AM
#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:18:19 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:18:37 PM
BasePriority : Normal
FileSize : 136 KB
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:18:36 PM
Last modified : 8/29/2002 11:00:00 AM
#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:19:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:39 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:33:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-3-2004 4:35:18 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/3/2004 4:33:47 PM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 7/13/2003 1:00:20 AM
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
New objects : 2
Objects found so far: 2
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
AdDestroyer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\vb and vba program settings\addestroyer
Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Interne t Explorer\Extensions\{c95fe 080-8f5d-1 1d2-a20b-0 0aa003c157 a}
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000000-0000-0000- 0000-00000 0000221}
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore.1
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\CLRSCH
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{00000000-0000-000 0-0000-000 000000221}
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{60494593-5408-447 d-bd5e-a16 640d6af99}
ClickSpring Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ClickSpring
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho.1
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4fc95edd-4796-4966- 9049-29649 c80111d}
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5d60ff48-95be-4956- b4c6-6bb16 8a70310}
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{5d60ff48-95be-495 6-b4c6-6bb 168a70310}
Favoriteman Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{53F066F0-A4C0-4F4 6-83EB-2DF D03F938CF}
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\HAUT O_UNINSTAL L
MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MemoryWatcher
MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\Memo ryWatcher
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{00000EF1-0786-463 3-87C6-1AA 7A44296DA}
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000ef1-0786-4633- 87c6-1aa7a 44296da}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client.1.1
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A4A58A2C-B039-432B- 8BC1-DCA7A C0757DC}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Apropos
VirtualBouncer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\VB and VBA Program Settings\VBouncer
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\When USearch
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\WhenUSearch
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : WUSE.1
eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{5D60FF48-95BE-4956-B4C6- 6BB168A703 10}"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Interne t Explorer\URLSearchHooks
Value : {5D60FF48-95BE-4956-B4C6-6 BB168A7031 0}
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Counter"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Counter
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Server"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Server
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Object"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Object
Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{00000762-3965-4A1A-98CE- 3D4BF457D4 C8}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Shel l Extensions\Approved
Value : {00000762-3965-4A1A-98CE-3 D4BF457D4C 8}
Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{000007AB-7059-463E-BD44- 101A1750D7 32}"
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Shel l Extensions\Approved
Value : {000007AB-7059-463E-BD44-1 01A1750D73 2}
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
New objects : 34
Objects found so far: 36
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Dpi"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows \CurrentVe rsion\Run
Value : Dpi
PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Pcsv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows \CurrentVe rsion\Run
Value : Pcsv
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
New objects : 2
Objects found so far: 38
Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[3].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:33:54 PM
Last accessed : 5/3/2004 4:33:54 PM
Last modified : 5/3/2004 4:33:54 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:06:44 PM
Last accessed : 5/3/2004 4:06:44 PM
Last modified : 5/3/2004 4:06:44 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@centrport[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:38:45 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 4:38:45 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:21:42 PM
Last accessed : 5/3/2004 4:21:42 PM
Last modified : 5/3/2004 4:21:42 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:25:22 PM
Last accessed : 5/3/2004 4:25:22 PM
Last modified : 5/3/2004 4:25:22 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 10:12:00 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 10:12:00 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:06:31 PM
Last accessed : 5/3/2004 4:06:31 PM
Last modified : 5/3/2004 4:06:31 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@tribalfusion[2].tx t
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:39:28 AM
Last accessed : 5/3/2004 4:05:20 PM
Last modified : 5/3/2004 4:39:28 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@~~local~~[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:07:42 PM
Last accessed : 5/3/2004 4:07:42 PM
Last modified : 5/3/2004 4:07:42 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM
IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 221 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 4/6/2004 1:33:00 PM
IBIS Toolbar Object recognized!
Type : File
Data : wintools.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 6 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:10 PM
Last modified : 3/19/2004 8:21:54 AM
Rads01.Quadrogram Object recognized!
Type : File
Data : wowex32[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX \
FileSize : 448 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : wowex32
OriginalFilename : wowex32.exe
ProductName : wowex32
Created on : 5/3/2004 2:41:30 AM
Last accessed : 5/3/2004 4:47:11 PM
Last modified : 5/3/2004 2:41:33 AM
IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\WinTools\
FileSize : 221 KB
Created on : 5/1/2004 8:10:31 PM
Last accessed : 5/3/2004 4:49:18 PM
Last modified : 4/6/2004 1:33:00 PM
MemoryWatcher Object recognized!
Type : File
Data : memorywatcher.exe
Category : Malware
Comment :
Object : C:\Program Files\MemoryWatcher\
FileSize : 52 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Memory Watcher 2003
CompanyName : Memory Watcher
FileDescription : Memory Watcher
InternalName : MemoryWatcher
OriginalFilename : MemoryWatcher.exe
ProductName : Memory Watcher
Created on : 10/17/2003 6:17:00 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 10/17/2003 6:17:00 PM
VX2.BetterInternet Object recognized!
Type : File
Data : 0021-bdl94126.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 245 KB
Created on : 5/1/2004 6:33:49 PM
Last accessed : 5/3/2004 4:53:09 PM
Last modified : 5/1/2004 8:26:50 PM
TurboDownload Object recognized!
Type : File
Data : dp-him.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 60 KB
Created on : 11/24/2003 5:48:40 AM
Last accessed : 5/3/2004 4:53:17 PM
Last modified : 11/24/2003 5:48:40 AM
Favoriteman Object recognized!
Type : File
Data : im64.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
Created on : 2/25/2004 8:28:09 PM
Last accessed : 5/3/2004 4:53:24 PM
Last modified : 2/26/2004 12:07:23 AM
180Solutions Object recognized!
Type : File
Data : msbb321.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 95 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2001
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
OriginalFilename : exe_in_dll.DLL
ProductName : exe_in_dll Module
Created on : 2/26/2004 12:07:55 AM
Last accessed : 5/3/2004 4:53:31 PM
Last modified : 2/26/2004 12:08:25 AM
SahAgent Object recognized!
Type : File
Data : sahagent1014.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 53 KB
Created on : 2/25/2004 8:28:38 PM
Last accessed : 5/3/2004 4:53:43 PM
Last modified : 2/25/2004 8:28:38 PM
MemoryWatcher Object recognized!
Type : File
Data : memorywatcher_b.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileSize : 501 KB
Created on : 5/1/2004 8:09:49 PM
Last accessed : 5/3/2004 4:53:55 PM
Last modified : 5/1/2004 8:09:53 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:53:56 PM
Last modified : 12/13/2003 3:48:18 PM
SahAgent Object recognized!
Type : File
Data : sahuninstall.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 29 KB
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
Copyright : Copyright
FileDescription : SAHUninstall
InternalName : SAHUninstall
OriginalFilename : SAHUninstall.dll
ProductName : SAHUninstall
Created on : 2/25/2004 8:28:43 PM
Last accessed : 5/3/2004 4:53:57 PM
Last modified : 1/27/2004 10:34:48 AM
Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
New objects : 0
Objects found so far: 64
Scanning Hosts file(C:\WINDOWS\System32\d rivers\etc \hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
1 entries scanned.
New objects :0
Objects found so far: 64
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi
PromulGate Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\Dpi
PromulGate Object recognized!
Type : File
Data : dpi.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
FileSize : 3 KB
Created on : 5/1/2004 8:36:10 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 5/2/2004 8:37:58 PM
PromulGate Object recognized!
Type : File
Data : dpih.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
Created on : 5/1/2004 8:41:26 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:41:26 PM
AdDestroyer Object recognized!
Type : File
Data : popoops.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
FileVersion : 2, 1, 0, 3
ProductVersion : 2, 1, 0, 3
CompanyName : Shahin Gasanov
FileDescription : PopOops
InternalName : PopOops
OriginalFilename : PopOops.dll
ProductName : PopOops
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:53:39 PM
Last modified : 3/18/2003 9:00:00 AM
AdDestroyer Object recognized!
Type : File
Data : popoops2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.01.0001
ProductVersion : 1.01.0001
CompanyName : Shahin Gasanov
FileDescription : PopOops2
InternalName : PopOops2
OriginalFilename : PopOops2.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:45:31 PM
Last modified : 7/30/2003 8:07:16 PM
AdDestroyer Object recognized!
Type : File
Data : swlad1.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Globes
InternalName : SWLAD1
OriginalFilename : SWLAD1.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:45:57 PM
Last modified : 8/25/2003 6:29:50 PM
AdDestroyer Object recognized!
Type : File
Data : swlad2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:53:48 PM
Last modified : 8/25/2003 6:29:26 PM
ClearSearch Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\C lrSch
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\IncrediFind
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{4FC95EDD-4796-496 6-9049-296 49C80111D}
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\updmgr
eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Interne t Explorer\URLSearchHooks
Value : {4FC95EDD-4796-4966-9049-2 9649C80111 D}
eUniverse Object recognized!
Type : File
Data : incredifindbholog.tmp
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\
Created on : 2/25/2004 8:28:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 9:30:00 PM
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Toolbar
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Toolbar
MemoryWatcher Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\MemoryWatcher
MemoryWatcher Object recognized!
Type : File
Data : comctl32.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 594 KB
FileVersion : 6.00.8105
ProductVersion : 6.00.8105
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows Common Controls ActiveX Control DLL
InternalName : COMCTL
OriginalFilename : COMCTL32.OCX
ProductName : COMCTL
Created on : 8/31/2003 6:04:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 8/31/2003 6:04:36 PM
MemoryWatcher Object recognized!
Type : File
Data : eula.url
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
Created on : 5/1/2004 8:14:11 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:14:12 PM
MemoryWatcher Object recognized!
Type : File
Data : trayicon.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 36 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Robdogg Inc.
InternalName : TrayIcon
OriginalFilename : TrayIcon.ocx
ProductName : vbRad
Created on : 8/30/2003 10:27:34 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 8/30/2003 10:27:34 PM
MemoryWatcher Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 83 KB
Created on : 5/1/2004 8:11:02 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:11:02 PM
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows \CurrentVe rsion\Unin stall\DMO
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{01C5BF6C-E699-4CD7- BEA1-786FA 05C83AB}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A2872B10-39F2-42DF- 9335-7DD38 CF75255}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A1558B18-F76C-4 0FE-B358-9 E47449F3CF E}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A2872B10-39F2-4 2DF-9335-7 DD38CF7525 5}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A7D0472E-C1FC-4 D8F-ABA1-9 8A7692561B F}
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\AutoLoader
PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\AutoUpdate
PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\A utoUpdate0
PeopleOnPage Object recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : c:\program files\autoupdate\
FileSize : 140 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:48:55 PM
Last modified : 5/1/2004 8:11:05 PM
PeopleOnPage Object recognized!
Type : File
Data : aproposplugin.dll
Category : Data Miner
Comment :
Object : c:\program files\sysai\
FileSize : 60 KB
Created on : 5/1/2004 8:10:51 PM
Last accessed : 5/3/2004 4:45:18 PM
Last modified : 5/1/2004 8:10:39 PM
PeopleOnPage Object recognized!
Type : File
Data : auto_update_uninstall.exe
Category : Data Miner
Comment :
Object : c:\windows\system32\
FileSize : 228 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:53:10 PM
Last modified : 5/1/2004 8:11:04 PM
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\ClockSync
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\WhenUSearch
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\dell desktop\start menu\programs\WhenUSearch
WhenU Object recognized!
Type : File
Data : content
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
Created on : 5/1/2004 8:11:33 PM
Last accessed : 5/3/2004 4:51:10 PM
Last modified : 5/1/2004 8:11:34 PM
WhenU Object recognized!
Type : File
Data : search.cch
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 1028 KB
Created on : 5/1/2004 8:11:32 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM
WhenU Object recognized!
Type : File
Data : search.db
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 46 KB
Created on : 5/1/2004 8:11:15 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM
WhenU Object recognized!
Type : File
Data : search.htm
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 28 KB
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/22/2004 9:45:34 PM
WhenU Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 38 KB
FileVersion : 2, 0, 1, 1
ProductVersion : 2, 0, 1, 1
Copyright : Copyright 2001
CompanyName : WhenU.com, Inc.
FileDescription : WhenUSearch Uninstall
InternalName : Uninst
OriginalFilename : Uninst.exe
ProductName : WhenUSearch Uninstall
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/20/2004 3:39:46 PM
VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Dbi
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 12/13/2003 3:50:24 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bij.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local s~1\temp\
FileSize : 1 KB
Created on : 2/25/2004 8:28:30 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 10/24/2003 5:55:34 PM
TurboDownload Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MaxSpeed
180Solutions Object recognized!
Type : File
Data : ncase.ini
Category : Data Miner
Comment :
Object : c:\windows\system32\
Created on : 2/26/2004 12:08:25 AM
Last accessed : 5/3/2004 4:55:04 PM
Last modified : 2/26/2004 12:08:25 AM
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
New objects : 48
Objects found so far: 112
12:55:04 PM Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ ¯¯¯¯¯¯¯¯¯¯ ¯¯
Total scanning time :00:10:00:235
Objects scanned :132210
Objects identified :112
Objects ignored :0
New objects :112
I'm halfway there. I downloaded, configured, and ran ad-aware per your instructions. I don't know what to remove, so I'm posting the log. After posting this message, I will "remove all" and complete your origional instructions. Thanks again for your help.
Here is the log file:
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, May 03, 2004 12:45:04 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R301 03.05.2004
__________________________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R298 20.04.2004
Internal build : 229
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1067557 Bytes
Signature data size : 1049356 Bytes
Reference data size : 18137 Bytes
Signatures total : 23569
Target categories : 10
Target families : 455
5-3-2004 12:35:55 PM Performing Webupdate...
Installing Update...
Reference file loaded:
Reference Number : 01R301 03.05.2004
Internal build : 233
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1082422 Bytes
Signature data size : 1064020 Bytes
Reference data size : 18338 Bytes
Signatures total : 23868
Target categories : 10
Target families : 460
5-3-2004 12:36:04 PM Success.
Update successfully downlodaded and installed.
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:29 %
Total physical memory:260096 kb
Available physical memory:74568 kb
Total page file size:640412 kb
Available on page file:403788 kb
Total virtual memory:2097024 kb
Available virtual memory:2048712 kb
OS:
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result
5-3-2004 12:45:04 PM - Scan started. (Custom mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-3-2004 4:16:53 PM
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:16:56 PM
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 7/16/2003 8:44:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:44:23 PM
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:00 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 7/16/2003 8:32:16 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:32:16 PM
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:04 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 7/16/2003 8:47:02 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:47:02 PM
#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:28:11 PM
Last accessed : 5/3/2004 4:28:47 PM
Last modified : 7/16/2003 8:28:11 PM
#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-3-2004 4:17:06 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 7/16/2003 8:46:20 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 7/16/2003 8:46:20 PM
#:9 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 5-3-2004 4:17:07 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 10:21:10 PM
Last accessed : 5/3/2004 4:17:07 PM
Last modified : 10/7/2003 10:21:10 PM
#:10 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\b
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 10:20:18 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 10/7/2003 10:20:18 PM
#:11 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 360 KB
Created on : 5/2/2004 2:20:27 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 9/11/2002 1:26:26 AM
#:12 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 5-3-2004 4:17:08 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 5/2/2004 2:14:34 PM
Last accessed : 5/3/2004 4:17:08 PM
Last modified : 7/11/2003 6:51:16 PM
#:13 [dpi.exe]
FilePath : C:\Program Files\Common Files\Dpi\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
Warning! PromulGate object found in memory(C:\Program Files\Common Files\Dpi\dpi.exe)
PromulGate Object recognized!
Type : Process
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 1/16/2004 7:01:48 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/16/2004 7:01:26 PM
"dpi.exe"Process terminated successfully.
#:14 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 5/2/2004 2:14:08 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 7/14/2003 1:55:44 PM
#:15 [pcsvc.exe]
FilePath : C:\WINDOWS\system32\pcs\
ThreadCreationTime : 5-3-2004 4:17:09 PM
BasePriority : Normal
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
Warning! PromulGate object found in memory(C:\WINDOWS\system32
PromulGate Object recognized!
Type : Process
Data : pcsvc.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\system32\pcs\
FileSize : 35 KB
FileVersion : 2.14.0000
Created on : 1/27/2004 2:57:34 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 1/28/2004 1:42:24 PM
"pcsvc.exe"Process terminated successfully.
#:16 [senrcall.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 84 KB
Created on : 5/1/2004 8:10:58 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 5/1/2004 8:10:39 PM
#:17 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso
ThreadCreationTime : 5-3-2004 4:17:10 PM
BasePriority : Normal
FileSize : 160 KB
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
OriginalFilename : mcvsshld.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:17:10 PM
Last modified : 8/18/2003 2:50:34 AM
#:18 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 404 KB
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
OriginalFilename : mcvsescn.EXE
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:29 PM
Last accessed : 5/3/2004 4:15:59 PM
Last modified : 9/28/2003 6:47:00 PM
#:19 [mcagent.exe]
FilePath : c:\program files\mcafee.com\agent\
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 4, 3, 0, 27
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
OriginalFilename : mcagent.exe
ProductName : McAfee SecurityCenter
Created on : 1/7/2004 5:26:14 PM
Last accessed : 5/3/2004 4:17:11 PM
Last modified : 12/8/2003 8:38:52 PM
#:20 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATC
ThreadCreationTime : 5-3-2004 4:17:11 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.10.1006
ProductVersion : 8.10.1006
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:12 PM
Last modified : 10/6/2003 4:05:40 PM
#:21 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\A
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 1344 KB
FileVersion : 1,0,17,5
ProductVersion : 1,0,17,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 12/30/2003 4:37:09 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/6/2003 10:58:26 PM
#:22 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatc
ThreadCreationTime : 5-3-2004 4:17:13 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 12/30/2003 4:43:11 AM
Last accessed : 5/3/2004 4:17:13 PM
Last modified : 10/6/2003 4:05:40 PM
#:23 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
OriginalFilename : mcvsrte.exe
ProductName : McAfee VirusScan
Created on : 1/7/2004 5:26:23 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 8/8/2003 11:04:38 PM
#:24 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ThreadCreationTime : 5-3-2004 4:17:14 PM
BasePriority : Normal
FileSize : 314 KB
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 6/20/2003 5:25:00 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 6/20/2003 5:25:00 AM
#:25 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:18 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 12/30/2003 4:37:15 AM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 1/10/2003 11:13:04 PM
#:26 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.05b
Copyright : Copyright
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
Created on : 12/30/2003 4:35:55 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 8/6/2003 7:04:00 AM
#:27 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-3-2004 4:17:24 PM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.24 02/24/2003 18:29:41
ProductVersion : 3.5.24 02/24/2003 18:29:41
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 1/1/1980 6:00:00 AM
Last accessed : 5/3/2004 4:17:24 PM
Last modified : 6/2/2003 11:00:30 AM
#:28 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:25 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel(R) Common User Interface
Created on : 10/2/2003 6:19:44 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 10/2/2003 6:19:44 PM
#:29 [wtoolsa.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:27 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:41 AM
Last accessed : 5/3/2004 4:17:27 PM
Last modified : 4/30/2004 2:48:08 PM
#:30 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso
ThreadCreationTime : 5-3-2004 4:17:28 PM
BasePriority : High
FileSize : 220 KB
Created on : 1/23/2004 1:53:46 PM
Last accessed : 5/3/2004 4:16:51 PM
Last modified : 3/13/2002 1:50:34 PM
#:31 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 7/16/2003 8:26:03 PM
Last accessed : 5/3/2004 4:17:30 PM
Last modified : 7/16/2003 8:26:03 PM
#:32 [wtoolss.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:30 PM
BasePriority : Normal
FileSize : 75 KB
Created on : 5/3/2004 12:11:45 AM
Last accessed : 5/3/2004 4:17:31 PM
Last modified : 4/20/2004 12:15:06 PM
#:33 [wsup.exe]
FilePath : C:\Program Files\Common files\WinTools\
ThreadCreationTime : 5-3-2004 4:17:31 PM
BasePriority : Normal
FileSize : 429 KB
Created on : 5/3/2004 12:11:42 AM
Last accessed : 5/3/2004 4:17:38 PM
Last modified : 4/30/2004 2:48:08 PM
#:34 [qife4.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:46 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:20:06 PM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:20:06 PM
#:35 [wvyq4ux.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:17:49 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 5/2/2004 4:50:01 AM
Last accessed : 5/3/2004 4:17:43 PM
Last modified : 5/2/2004 4:50:01 AM
#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:18:19 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:37 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-3-2004 4:18:37 PM
BasePriority : Normal
FileSize : 136 KB
FileVersion : 5.4.3630.1106 (xpsp1.020828-1920)
ProductVersion : 5.4.3630.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:18:36 PM
Last modified : 8/29/2002 11:00:00 AM
#:38 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:19:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:39 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 5-3-2004 4:33:49 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 8/29/2002 11:00:00 AM
#:40 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 5-3-2004 4:35:18 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/3/2004 4:33:47 PM
Last accessed : 5/3/2004 4:33:49 PM
Last modified : 7/13/2003 1:00:20 AM
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 2
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
AdDestroyer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\vb and vba program settings\addestroyer
Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Interne
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000000-0000-0000-
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : csie.csiecore.1
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\CLRSCH
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
ClearSearch Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TYPELIB\{60494593-5408-447
ClickSpring Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ClickSpring
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : bho.incredifindbho.1
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{4fc95edd-4796-4966-
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{5d60ff48-95be-4956-
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
Favoriteman Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{53F066F0-A4C0-4F4
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MemoryWatcher
MemoryWatcher Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{00000ef1-0786-4633-
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Apropos.Client.1.1
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A4A58A2C-B039-432B-
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Apropos
VirtualBouncer Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\VB and VBA Program Settings\VBouncer
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\WhenUSearch
WhenU Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : WUSE.1
eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{5D60FF48-95BE-4956-B4C6-
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Interne
Value : {5D60FF48-95BE-4956-B4C6-6
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Counter"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Counter
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Server"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Server
Favoriteman Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Object"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows
Value : Object
Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{00000762-3965-4A1A-98CE-
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
Value : {00000762-3965-4A1A-98CE-3
Lycos Sidesearch Object recognized!
Type : RegValue
Data :
Category : Misc
Comment : "{000007AB-7059-463E-BD44-
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
Value : {000007AB-7059-463E-BD44-1
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 34
Objects found so far: 36
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Dpi"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows
Value : Dpi
PromulGate Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "Pcsv"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows
Value : Pcsv
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 38
Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@0[3].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:33:54 PM
Last accessed : 5/3/2004 4:33:54 PM
Last modified : 5/3/2004 4:33:54 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@atdmt[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:06:44 PM
Last accessed : 5/3/2004 4:06:44 PM
Last modified : 5/3/2004 4:06:44 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@centrport[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:38:45 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 4:38:45 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:21:42 PM
Last accessed : 5/3/2004 4:21:42 PM
Last modified : 5/3/2004 4:21:42 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:25:22 PM
Last accessed : 5/3/2004 4:25:22 PM
Last modified : 5/3/2004 4:25:22 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 10:12:00 AM
Last accessed : 5/3/2004 4:47:06 PM
Last modified : 5/3/2004 10:12:00 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:06:31 PM
Last accessed : 5/3/2004 4:06:31 PM
Last modified : 5/3/2004 4:06:31 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@tribalfusion[2].tx
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:39:28 AM
Last accessed : 5/3/2004 4:05:20 PM
Last modified : 5/3/2004 4:39:28 AM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:04:58 PM
Last accessed : 5/3/2004 4:04:58 PM
Last modified : 5/3/2004 4:04:58 PM
Tracking Cookie Object recognized!
Type : File
Data : dell desktop@~~local~~[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Cookies\
Created on : 5/3/2004 4:07:42 PM
Last accessed : 5/3/2004 4:07:42 PM
Last modified : 5/3/2004 4:07:42 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM
IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 221 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 4/6/2004 1:33:00 PM
IBIS Toolbar Object recognized!
Type : File
Data : wintools.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temp\
FileSize : 6 KB
Created on : 5/1/2004 8:10:25 PM
Last accessed : 5/3/2004 4:47:10 PM
Last modified : 3/19/2004 8:21:54 AM
Rads01.Quadrogram Object recognized!
Type : File
Data : wowex32[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Dell Desktop\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX
FileSize : 448 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : wowex32
OriginalFilename : wowex32.exe
ProductName : wowex32
Created on : 5/3/2004 2:41:30 AM
Last accessed : 5/3/2004 4:47:11 PM
Last modified : 5/3/2004 2:41:33 AM
IBIS Toolbar Object recognized!
Type : File
Data : btiein.dll
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\WinTools\
FileSize : 221 KB
Created on : 5/1/2004 8:10:31 PM
Last accessed : 5/3/2004 4:49:18 PM
Last modified : 4/6/2004 1:33:00 PM
MemoryWatcher Object recognized!
Type : File
Data : memorywatcher.exe
Category : Malware
Comment :
Object : C:\Program Files\MemoryWatcher\
FileSize : 52 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Memory Watcher 2003
CompanyName : Memory Watcher
FileDescription : Memory Watcher
InternalName : MemoryWatcher
OriginalFilename : MemoryWatcher.exe
ProductName : Memory Watcher
Created on : 10/17/2003 6:17:00 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 10/17/2003 6:17:00 PM
VX2.BetterInternet Object recognized!
Type : File
Data : 0021-bdl94126.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 245 KB
Created on : 5/1/2004 6:33:49 PM
Last accessed : 5/3/2004 4:53:09 PM
Last modified : 5/1/2004 8:26:50 PM
TurboDownload Object recognized!
Type : File
Data : dp-him.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 60 KB
Created on : 11/24/2003 5:48:40 AM
Last accessed : 5/3/2004 4:53:17 PM
Last modified : 11/24/2003 5:48:40 AM
Favoriteman Object recognized!
Type : File
Data : im64.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
Created on : 2/25/2004 8:28:09 PM
Last accessed : 5/3/2004 4:53:24 PM
Last modified : 2/26/2004 12:07:23 AM
180Solutions Object recognized!
Type : File
Data : msbb321.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 95 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2001
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
OriginalFilename : exe_in_dll.DLL
ProductName : exe_in_dll Module
Created on : 2/26/2004 12:07:55 AM
Last accessed : 5/3/2004 4:53:31 PM
Last modified : 2/26/2004 12:08:25 AM
SahAgent Object recognized!
Type : File
Data : sahagent1014.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM32\
FileSize : 53 KB
Created on : 2/25/2004 8:28:38 PM
Last accessed : 5/3/2004 4:53:43 PM
Last modified : 2/25/2004 8:28:38 PM
MemoryWatcher Object recognized!
Type : File
Data : memorywatcher_b.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Temp\
FileSize : 501 KB
Created on : 5/1/2004 8:09:49 PM
Last accessed : 5/3/2004 4:53:55 PM
Last modified : 5/1/2004 8:09:53 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:53:56 PM
Last modified : 12/13/2003 3:48:18 PM
SahAgent Object recognized!
Type : File
Data : sahuninstall.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 29 KB
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
Copyright : Copyright
FileDescription : SAHUninstall
InternalName : SAHUninstall
OriginalFilename : SAHUninstall.dll
ProductName : SAHUninstall
Created on : 2/25/2004 8:28:43 PM
Last accessed : 5/3/2004 4:53:57 PM
Last modified : 1/27/2004 10:34:48 AM
Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 64
Scanning Hosts file(C:\WINDOWS\System32\d
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 64
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi
PromulGate Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\Dpi
PromulGate Object recognized!
Type : File
Data : dpi.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
FileSize : 3 KB
Created on : 5/1/2004 8:36:10 PM
Last accessed : 5/3/2004 4:17:09 PM
Last modified : 5/2/2004 8:37:58 PM
PromulGate Object recognized!
Type : File
Data : dpih.inf
Category : Data Miner
Comment :
Object : c:\documents and settings\all users\application data\dpi\
Created on : 5/1/2004 8:41:26 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:41:26 PM
AdDestroyer Object recognized!
Type : File
Data : popoops.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
FileVersion : 2, 1, 0, 3
ProductVersion : 2, 1, 0, 3
CompanyName : Shahin Gasanov
FileDescription : PopOops
InternalName : PopOops
OriginalFilename : PopOops.dll
ProductName : PopOops
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:53:39 PM
Last modified : 3/18/2003 9:00:00 AM
AdDestroyer Object recognized!
Type : File
Data : popoops2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.01.0001
ProductVersion : 1.01.0001
CompanyName : Shahin Gasanov
FileDescription : PopOops2
InternalName : PopOops2
OriginalFilename : PopOops2.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:31 AM
Last accessed : 5/3/2004 4:45:31 PM
Last modified : 7/30/2003 8:07:16 PM
AdDestroyer Object recognized!
Type : File
Data : swlad1.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 40 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Globes
InternalName : SWLAD1
OriginalFilename : SWLAD1.dll
ProductName : PopOops2
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:45:57 PM
Last modified : 8/25/2003 6:29:50 PM
AdDestroyer Object recognized!
Type : File
Data : swlad2.dll
Category : Malware
Comment :
Object : c:\windows\system32\
FileSize : 24 KB
Created on : 2/26/2004 11:32:32 AM
Last accessed : 5/3/2004 4:53:48 PM
Last modified : 8/25/2003 6:29:26 PM
ClearSearch Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\IncrediFind
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
eUniverse Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\updmgr
eUniverse Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Interne
Value : {4FC95EDD-4796-4966-9049-2
eUniverse Object recognized!
Type : File
Data : incredifindbholog.tmp
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
Created on : 2/25/2004 8:28:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 9:30:00 PM
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Toolbar
IBIS Toolbar Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Toolbar
MemoryWatcher Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\MemoryWatcher
MemoryWatcher Object recognized!
Type : File
Data : comctl32.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 594 KB
FileVersion : 6.00.8105
ProductVersion : 6.00.8105
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows Common Controls ActiveX Control DLL
InternalName : COMCTL
OriginalFilename : COMCTL32.OCX
ProductName : COMCTL
Created on : 8/31/2003 6:04:36 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 8/31/2003 6:04:36 PM
MemoryWatcher Object recognized!
Type : File
Data : eula.url
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
Created on : 5/1/2004 8:14:11 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:14:12 PM
MemoryWatcher Object recognized!
Type : File
Data : trayicon.ocx
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 36 KB
FileVersion : 1.00
ProductVersion : 1.00
CompanyName : Robdogg Inc.
InternalName : TrayIcon
OriginalFilename : TrayIcon.ocx
ProductName : vbRad
Created on : 8/30/2003 10:27:34 PM
Last accessed : 5/3/2004 4:50:13 PM
Last modified : 8/30/2003 10:27:34 PM
MemoryWatcher Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\memorywatcher\
FileSize : 83 KB
Created on : 5/1/2004 8:11:02 PM
Last accessed : 5/3/2004 4:53:59 PM
Last modified : 5/1/2004 8:11:02 PM
NetPal Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Windows
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{01C5BF6C-E699-4CD7-
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A2872B10-39F2-42DF-
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A1558B18-F76C-4
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A2872B10-39F2-4
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A7D0472E-C1FC-4
PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\AutoLoader
PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\AutoUpdate
PeopleOnPage Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
PeopleOnPage Object recognized!
Type : File
Data : libexpat.dll
Category : Data Miner
Comment :
Object : c:\program files\autoupdate\
FileSize : 140 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:48:55 PM
Last modified : 5/1/2004 8:11:05 PM
PeopleOnPage Object recognized!
Type : File
Data : aproposplugin.dll
Category : Data Miner
Comment :
Object : c:\program files\sysai\
FileSize : 60 KB
Created on : 5/1/2004 8:10:51 PM
Last accessed : 5/3/2004 4:45:18 PM
Last modified : 5/1/2004 8:10:39 PM
PeopleOnPage Object recognized!
Type : File
Data : auto_update_uninstall.exe
Category : Data Miner
Comment :
Object : c:\windows\system32\
FileSize : 228 KB
Created on : 5/1/2004 8:11:11 PM
Last accessed : 5/3/2004 4:53:10 PM
Last modified : 5/1/2004 8:11:04 PM
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\ClockSync
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\program files\WhenUSearch
WhenU Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\documents and settings\dell desktop\start menu\programs\WhenUSearch
WhenU Object recognized!
Type : File
Data : content
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
Created on : 5/1/2004 8:11:33 PM
Last accessed : 5/3/2004 4:51:10 PM
Last modified : 5/1/2004 8:11:34 PM
WhenU Object recognized!
Type : File
Data : search.cch
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 1028 KB
Created on : 5/1/2004 8:11:32 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM
WhenU Object recognized!
Type : File
Data : search.db
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 46 KB
Created on : 5/1/2004 8:11:15 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 5/1/2004 8:28:13 PM
WhenU Object recognized!
Type : File
Data : search.htm
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 28 KB
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/22/2004 9:45:34 PM
WhenU Object recognized!
Type : File
Data : uninst.exe
Category : Data Miner
Comment :
Object : c:\program files\whenusearch\
FileSize : 38 KB
FileVersion : 2, 0, 1, 1
ProductVersion : 2, 0, 1, 1
Copyright : Copyright 2001
CompanyName : WhenU.com, Inc.
FileDescription : WhenUSearch Uninstall
InternalName : Uninst
OriginalFilename : Uninst.exe
ProductName : WhenUSearch Uninstall
Created on : 5/1/2004 8:11:28 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 1/20/2004 3:39:46 PM
VX2.BetterInternet Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Dbi
VX2.BetterInternet Object recognized!
Type : File
Data : bi.ini
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
FileSize : 224 KB
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 12/13/2003 3:48:18 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.cab
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
FileSize : 85 KB
Created on : 2/25/2004 8:38:23 PM
Last accessed : 5/3/2004 4:47:09 PM
Last modified : 2/25/2004 8:38:24 PM
VX2.BetterInternet Object recognized!
Type : File
Data : biini.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
Created on : 2/25/2004 8:38:24 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 12/13/2003 3:50:24 PM
VX2.BetterInternet Object recognized!
Type : File
Data : bij.inf
Category : Data Miner
Comment :
Object : c:\docume~1\dellde~1\local
FileSize : 1 KB
Created on : 2/25/2004 8:28:30 PM
Last accessed : 5/3/2004 4:54:00 PM
Last modified : 10/24/2003 5:55:34 PM
TurboDownload Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\MaxSpeed
180Solutions Object recognized!
Type : File
Data : ncase.ini
Category : Data Miner
Comment :
Object : c:\windows\system32\
Created on : 2/26/2004 12:08:25 AM
Last accessed : 5/3/2004 4:55:04 PM
Last modified : 2/26/2004 12:08:25 AM
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 48
Objects found so far: 112
12:55:04 PM Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:10:00:235
Objects scanned :132210
Objects identified :112
Objects ignored :0
New objects :112
Hi!
Remove everything that Adaware has found, empty the contents of all your temp folders (don't delete the temp folders themselves - just what's in them).
Empty your recycle bin.
Reboot and post another HijackThis log.
Thanks and good luck!
Remove everything that Adaware has found, empty the contents of all your temp folders (don't delete the temp folders themselves - just what's in them).
Empty your recycle bin.
Reboot and post another HijackThis log.
Thanks and good luck!
ASKER
Hi rossfingal,
I am impressed with ad aware 6.0 as it found about 60 additional items that macaffee and spybot did not find. They have all been cleaned up and I was hopeful that my problems were solved. I have no pop-ups anymore.
I emptied the temp files, temp internet files, and the recycle bin, rebooted, ad captured a new hijack this log, which will be attached below.
However when I check for viruses, it still catches on the same 6 files called adware-memwatcher. They are random names, cannot be cleaned or deleted, and when quaranteened and deleted they come immediately back. i can see them also as active processes, and when an active process is deleted, it imeediately comes back. There is also a process which often takes 100% of the processing resource for about 10 or 15 seconds and everything just hangs.
Sorry for the delay, I couldn't get on the web, and had to reinstall my drivers and internet software. Thanks again for your help.
Here is the newest hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 6:37:19 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Common Files\Dell\EUSW\Support.ex e
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwi con.exe
C:\WINDOWS\System32\senrca ll.exe
C:\PROGRA~1\mcafee.com\vso \mcvsshld. exe
C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
C:\Program Files\Dell\Support\Alert\b in\NotifyA lert.exe
C:\PROGRA~1\mcafee.com\age nt\mcagent .exe
c:\progra~1\mcafee.com\vso \mcvsescn. exe
C:\WINDOWS\system32\dla\tf swctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd. exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Yahoo!\browser \ycommon.e xe
C:\WINDOWS\System32\IEHost .exe
C:\WINDOWS\System32\ctfmon .exe
C:\PROGRA~1\COMMON~1\AOL\A CS\acsd.ex e
c:\PROGRA~1\mcafee.com\vso \mcvsrte.e xe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso \mcshield. exe
C:\WINDOWS\System32\Qife4. exe
C:\WINDOWS\System32\WvyQ4U x.exe
C:\WINDOWS\System32\wuaucl t.exe
C:\hijackthis\HijackThis.e xe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = file://C:\WINDOWS\System32 \SearchBar .htm
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\In ternet Explorer\SearchURL,(Defaul t) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0 0123456789 0} - C:\WINDOWS\system32\dla\tf swshx.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3 D5FEC94A18 3} - C:\DOCUME~1\DELLDE~1\LOCAL S~1\Temp\W ToolsB.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - c:\progra~1\mcafee.com\vso \mcvsshl.d ll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex e
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi con.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat e.exe"
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca ll.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs o\mcvsshld .exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC H Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc h Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age nt\McUpdat e.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age nt\mcagent .exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs o\mcmnhdlr .exe" /checktask
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf swctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.e xe
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc h.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost .exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync. exe /q
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit .exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon .exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun cer.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic rosoft\Int ernet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5 A1EDB1D8A2 1} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0 0104B06BDE 3} (CamImage Class) - http://www.digitalsurveillancecenter.com/activex/AxisCamControl.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9 ADE19E19EC 3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38109.7553819444
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6 0DB54C1000 0} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-3 98534BB899 9} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C 18E1ADA438 9} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-2 8BB9EB2281 E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6 4D10A7E247 9} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
I am impressed with ad aware 6.0 as it found about 60 additional items that macaffee and spybot did not find. They have all been cleaned up and I was hopeful that my problems were solved. I have no pop-ups anymore.
I emptied the temp files, temp internet files, and the recycle bin, rebooted, ad captured a new hijack this log, which will be attached below.
However when I check for viruses, it still catches on the same 6 files called adware-memwatcher. They are random names, cannot be cleaned or deleted, and when quaranteened and deleted they come immediately back. i can see them also as active processes, and when an active process is deleted, it imeediately comes back. There is also a process which often takes 100% of the processing resource for about 10 or 15 seconds and everything just hangs.
Sorry for the delay, I couldn't get on the web, and had to reinstall my drivers and internet software. Thanks again for your help.
Here is the newest hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 6:37:19 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\Program Files\Common Files\Dell\EUSW\Support.ex
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwi
C:\WINDOWS\System32\senrca
C:\PROGRA~1\mcafee.com\vso
C:\Program Files\MUSICMATCH\MUSICMATC
C:\Program Files\MusicMatch\MusicMatc
C:\Program Files\Dell\Support\Alert\b
C:\PROGRA~1\mcafee.com\age
c:\progra~1\mcafee.com\vso
C:\WINDOWS\system32\dla\tf
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\PROGRA~1\Yahoo!\browser
C:\WINDOWS\System32\IEHost
C:\WINDOWS\System32\ctfmon
C:\PROGRA~1\COMMON~1\AOL\A
c:\PROGRA~1\mcafee.com\vso
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
c:\PROGRA~1\mcafee.com\vso
C:\WINDOWS\System32\Qife4.
C:\WINDOWS\System32\WvyQ4U
C:\WINDOWS\System32\wuaucl
C:\hijackthis\HijackThis.e
R1 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.ex
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwi
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
O4 - HKLM\..\Run: [rs6T3Ei] C:\WINDOWS\System32\senrca
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [MFMT] C:\WINDOWS\MFMT.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATC
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatc
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\age
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tf
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.e
O4 - HKLM\..\Run: [z] C:\windows\temp\z.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Searc
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapiit
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBoun
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O6 - HKCU\Software\Policies\Mic
O6 - HKCU\Software\Policies\Mic
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5
O16 - DPF: {917623D1-D8E5-11D2-BE8B-0
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {A17E30C4-A9BA-11D4-8673-6
O16 - DPF: {B9191F79-5613-4C76-AA2A-3
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C
O16 - DPF: {D18F962A-3722-4B59-B08D-2
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E855A2D4-987E-4F3B-A51C-6
Hi!
Well, I could go on and on about "horror stories" concerning the increasing difficulties with trying to remove some of the
things out there - just ran into someone who had 948 various "nasties" on their computer!
However, you still have the Peper A trojan - so:
If you don't still have it; download the Peper removal tool from one of the links above.
Make sure System Restore is turned off.
Turn off your firewall, if you have one (and if you don't - I recommend you get one).
Run the tool - might as well run it twice! (this is what other people are suggesting, as of today).
Empty your temp files. (make sure you empty all temp files in "documents and settings")
Empty your recycle bin.
Reboot your computer, make sure you're showing all files (system, hidden, etc.)
Post a new HijackThis log.
Thanks and good luck! :)
Well, I could go on and on about "horror stories" concerning the increasing difficulties with trying to remove some of the
things out there - just ran into someone who had 948 various "nasties" on their computer!
However, you still have the Peper A trojan - so:
If you don't still have it; download the Peper removal tool from one of the links above.
Make sure System Restore is turned off.
Turn off your firewall, if you have one (and if you don't - I recommend you get one).
Run the tool - might as well run it twice! (this is what other people are suggesting, as of today).
Empty your temp files. (make sure you empty all temp files in "documents and settings")
Empty your recycle bin.
Reboot your computer, make sure you're showing all files (system, hidden, etc.)
Post a new HijackThis log.
Thanks and good luck! :)
ASKER
Hi rossfingal,
I'll work on that peper trojan again.
Can you tell me what in my log shows up that tells you its the pepertrojan?
I ran the peper uninstall tool before, so I dont know if it was ineffective (probably user error) or if I got reinfected again from visiting my usual sites (very very right now, just yahoo and experts exchange). Knowing what to look for would help me narrow it down.
Thanks.
Also, when I ran the pepertrojan uninstall, it ran in a command window in a fraction of a second so I don't know if it ended correctly or not. Is this normal?
Thanks again. Bruce.
I'll work on that peper trojan again.
Can you tell me what in my log shows up that tells you its the pepertrojan?
I ran the peper uninstall tool before, so I dont know if it was ineffective (probably user error) or if I got reinfected again from visiting my usual sites (very very right now, just yahoo and experts exchange). Knowing what to look for would help me narrow it down.
Thanks.
Also, when I ran the pepertrojan uninstall, it ran in a command window in a fraction of a second so I don't know if it ended correctly or not. Is this normal?
Thanks again. Bruce.
Remember to protect yourself in the future...
AntiVir - The private and individual use of the AntiVir Personal Edition is free of charge
http://www.free-av.com
AntiVir - The private and individual use of the AntiVir Personal Edition is free of charge
http://www.free-av.com
Hi!
The thing that usually sticks out is an entry like this:
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.e xe
Note 14 letters/numbers inside the brackets and a random exe file.
Yes the peper tool runs very fast.
As to where people are picking this pest up I'm not sure if anyone knows yet; howver, be assured that there are a lot of
people looking into it.
Remember to clear your restore points when you turn off system restore; as there might be a remnant something there.
It's not that uncommon to have to run the peper tool several times.
Let us know!
The thing that usually sticks out is an entry like this:
O4 - HKLM\..\Run: [2HQCYHF3DNW2CN] C:\WINDOWS\System32\Upws.e
Note 14 letters/numbers inside the brackets and a random exe file.
Yes the peper tool runs very fast.
As to where people are picking this pest up I'm not sure if anyone knows yet; howver, be assured that there are a lot of
people looking into it.
Remember to clear your restore points when you turn off system restore; as there might be a remnant something there.
It's not that uncommon to have to run the peper tool several times.
Let us know!
ASKER
Hi rossfingal,
Thanks for the above.
I assure you I have tried real hard last night to rid myself of the peper/memwatcher/sandboxer problem. I've run the peperpage/uninstall.exe hundreds of times, in as many combinations (emptying temp folders, temp internet files folder, rebooting etc) as possible and am convinced that it will not work for me. I can watch it get eliminated and watch it come immediately back. The random fileames are always in my hijackthis log and always in my list of active processes. I'm about to surrender to erasing my harddrive.
I though I might try the second tool you suggested (the peperuninstall.exe in australia) but the link is/has been down. Is there another path or another choice?
Thanks again.
Thanks for the above.
I assure you I have tried real hard last night to rid myself of the peper/memwatcher/sandboxer
I though I might try the second tool you suggested (the peperuninstall.exe in australia) but the link is/has been down. Is there another path or another choice?
Thanks again.
Hi!
Sorry to hear you're having problems.
Hang in there for a moment, I'm looking into a few things concerning your HJT log.
I'd hate to see you have to do a format/restore.
Check back in a little while.
OK?
Sorry to hear you're having problems.
Hang in there for a moment, I'm looking into a few things concerning your HJT log.
I'd hate to see you have to do a format/restore.
Check back in a little while.
OK?
Hi!
Before you do anything, could you look at these 4 files and post their properties - manufacturer, version, etc.
C:\WINDOWS\System32\senrca ll.exe
C:\WINDOWS\System32\WvyQ4U x.exe
C:\WINDOWS\System32\Qife4. exe
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
Then, turn off System Restore and clear your restore points.
You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed. If you do not know how to log in as Administrator, contact your system administrator (if you are on a network), the computer manufacturer, or installer.
Turning off System Restore will delete all previous restore points. You must create new restore points once you turn System Restore back on.
To turn off Windows XP System Restore
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
Click Apply. a message appears:
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.
Proceed with what you need to do. For example, removing viruses. Restart the computer and follow the instructions in the next section to turn on System Restore.
Next,download this uninstaller:
http://www.computercops.biz/downloads-file-330.html
It comes in a zipped file . Launch "Uninst.exe". Follow the Uninstallation process and restart/reboot the computer when its finished. If you have a firewall installed, please temporarily disable it while running this.
Before you reboot - Empty "temp" folders, delete "Temporary Internet Files", and empty your recyle bin.
Reboot and post a new HijackThis log.
Thanks!
Before you do anything, could you look at these 4 files and post their properties - manufacturer, version, etc.
C:\WINDOWS\System32\senrca
C:\WINDOWS\System32\WvyQ4U
C:\WINDOWS\System32\Qife4.
O4 - HKCU\..\Run: [Crru] C:\Documents and Settings\Dell Desktop\Application Data\tecw.exe
Then, turn off System Restore and clear your restore points.
You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed. If you do not know how to log in as Administrator, contact your system administrator (if you are on a network), the computer manufacturer, or installer.
Turning off System Restore will delete all previous restore points. You must create new restore points once you turn System Restore back on.
To turn off Windows XP System Restore
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box as shown in this illustration:
Click Apply. a message appears:
As noted in the message, this will delete all existing restore points. Click Yes to do this.
Click OK.
Proceed with what you need to do. For example, removing viruses. Restart the computer and follow the instructions in the next section to turn on System Restore.
Next,download this uninstaller:
http://www.computercops.biz/downloads-file-330.html
It comes in a zipped file . Launch "Uninst.exe". Follow the Uninstallation process and restart/reboot the computer when its finished. If you have a firewall installed, please temporarily disable it while running this.
Before you reboot - Empty "temp" folders, delete "Temporary Internet Files", and empty your recyle bin.
Reboot and post a new HijackThis log.
Thanks!
Double Check for viruses
Online Scanners
Norton Web Services
Virus Detection provides an analysis of your results and offers suggestions for further action. It does not examine compressed files or fix infected files.
When Symantec receives notification about a new virus, we develop and post a solution as quickly as possible. We are committed to providing swift responses to all virus threats, including Trojan horses.
http://security.symantec.com/sscv6/vc_about.asp?ax=0&langid=ie&venid=sym&plfid=23&pkj=BSZNTGXIBVEMBQAUWZK
======================
Trend Micro HouseCall
http://housecall.antivirus.com/housecall/start_corp.asp
======================
eTrust Online antivirus scanner
http://www3.ca.com/virusinfo/virusscan.aspx
======================
PC Pitstop Virus Scan
When the download completes, you will receive an ActiveX security dialog for the PC Pitstop virus scanner. Click Yes to install the scanner and proceed to the virus scan.
If you are currently running an antivirus package such as Norton Antivirus, it may detect our own virus detection file as a virus. If this occurs and you wish to use our scanner, please (temporarily) disable any active background virus checking software before scanning, or add our signature file (PAV.SIG) to the scanner's file exclusion list
http://www.pcpitstop.com/antivirus/AVLoad.asp