Cool Web Search Hijacker--very sneaky

Discussion in 'adware, spyware & hijack cleaning' started by brookesmith, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Anyone who can help me, I would be extremely grateful. I have had the CWS trojan for a few weeks now and have tried everything but to no avail. I have Adaware, Search and Destroy, Spyware Blaster, Macafee Firewall and Virus Scan and Hijack This. These detect the bad files and remove them but they always pop back up, usually within minutes. I have found some files in the add/remove programs list that are not supposed to be there but everytime I try to delete them, it says they are write protected. I have tried CW shredder and it hasn't found anything. Here is my log from HiJack This and the qurantined files from Adaware for today. Thank you in advance for your time.

    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
    ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
    kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
    USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
    GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
    ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
    RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
    SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
    SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
    SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
    ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
    uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
    BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
    appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
    CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114:cool: Version Checking and File Installation Libraries
    WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
    CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
    MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114:cool: Offline Network Agent
    SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
    AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
    winur32.dll ed0000 266240 C:\WINDOWS\system32\winur32.dll
    ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
    shdoclc.dll 1210000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
    mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft (R) HTML Viewer
    MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-114:cool: Multi Language Support DLL
    RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 Helper for Windows NT
    NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
    TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114:cool: Routing Utilities
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
    sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
    USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
    wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 32-Bit DLL
    mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Windows Sockets 2.0 Service Provider
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
    winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-114:cool: LDAP RnR Provider DLL
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
    rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-114:cool: Remote Access AutoDial Helper
    wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Sockets Helper DLL
    SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
    msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
    MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
    MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
    jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
    actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-114:cool: ActiveX Interface Marshaling Library
    MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-114:cool: Multiple Provider Router DLL
    drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Terminal Server Network Provider
    ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
    NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - GUI Classes
    NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-114:cool: NT LM UI Common Code - Networking classes
    NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-114:cool: Net Remote Admin Protocol DLL
    SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
    davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-114:cool: Web DAV Client DLL
    MSGINA.dll 75970000 991232 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
    WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
    ODBC32.dll 10b0000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
    comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
    odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
    wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-114:cool: WDM Audio driver mapper
    msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Sound Mapper
    MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft ACM Audio Filter
    midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft MIDI Mapper
    mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft (R) HTML Editing Component
    imgutil.dll 66880000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 (xpsp1.020828-1920) IE plugin image decoder support DLL
    plugin.ocx 72b20000 98304 C:\WINDOWS\System32\plugin.ocx 6.00.2600.0000 (xpclient.010817-114:cool: ActiveX Plugin OCX
    ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
    LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Volume Tracking
    Module information for 'IEXPLORE.EXE'
    MODULE BASE SIZE PATH
    IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
    ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
    kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
    USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
    GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
    ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
    RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
    SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
    SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
    SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
    ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
    uxtheme.dll 5ad70000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
    BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
    appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
    CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-114:cool: Version Checking and File Installation Libraries
    WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
    CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
    MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-114:cool: Offline Network Agent
    SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
    AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
    winur32.dll ed0000 266240 C:\WINDOWS\system32\winur32.dll
    ATL.DLL 76b20000 86016 C:\WINDOWS\system32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
    urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
    shdoclc.dll 1210000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
    mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1400 Microsoft (R) HTML Viewer
    MLANG.dll 74770000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-114:cool: Multi Language Support DLL
    RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 32-Bit DLL
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 2.0 Helper for Windows NT
    NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
    TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-114:cool: Routing Utilities
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
    sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
    wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Socket 32-Bit DLL
    USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
    mswsock.dll 71a50000 241664 C:\WINDOWS\System32\mswsock.dll 5.1.2600.0 (xpclient.010817-114:cool: Microsoft Windows Sockets 2.0 Service Provider
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
    winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-114:cool: LDAP RnR Provider DLL
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
    SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
    msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
    MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
    MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
    rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-114:cool: Remote Access AutoDial Helper
    wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-114:cool: Windows Sockets Helper DLL
    IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
    jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
    actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-114:cool: ActiveX Interface Marshaling Library







    ArchiveData(auto-quarantine- 02-07-2004 17-40-46.bckp)
    ======================================================

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegKey : SYSTEM\CurrentControlSet\Services\__NS_Service_3
    obj[2]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE
    obj[4]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
    obj[5]=File : c:\windows\system32\crar.exe
    obj[6]=File : c:\windows\system32\netvp32.exe
    obj[7]=File : c:\windows\d3ax.exe

    ArchiveData(auto-quarantine- 02-07-2004 17-46-48.bckp)
    ======================================================

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    obj[2]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE
    obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
    obj[7]=File : c:\windows\irttr.dll

    VX2
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[4]=RegKey : Software\MxTarget
    obj[5]=File : c:\documents and settings\brooke smith\local settings\temp\polmx3.cab
    obj[6]=File : c:\documents and settings\brooke smith\local settings\temp\polmx3.exe
    obj[8]=File : c:\windows\polmx3.exe
    obj[9]=File : c:\docume~1\brooke~1\locals~1\temp\polmx3.cab
    obj[10]=File : c:\docume~1\brooke~1\locals~1\temp\polmx3.exe
    obj[11]=File : c:\docume~1\brooke~1\locals~1\temp\polmx3.inf
    obj[12]=File : c:\windows\inf\polmx3.inf


    ArchiveData(auto-quarantine- 02-07-2004 17-53-42.bckp)
    ======================================================

    COOLWEBSEARCH
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    obj[2]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE
    obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW
    obj[4]=RegValue : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
     
  2. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Now they have hijacked my aol password and are using my address to send spam. PLEASE HELP!
     
    Last edited: Jul 3, 2004
  3. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    please download hijackthis from here
    unzip the download into a convenient permanent folder( like c:\hijackthis)
    and run the program. hit the scan button, when the scan is finished the button changes to save log. save the log, open it with notepad, pres ctrl+a to select all and copy it's contents here
    someone here will be happy to analyze the results for you
     
    Last edited: Jul 3, 2004
  4. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    thank you thank you thank you. here is the new log.


    Logfile of HijackThis v1.98.0
    Scan saved at 8:37:19 PM, on 7/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ntxw32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\mfczi.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {30D83F56-DA50-B817-EF00-1DEB557B32F8} - C:\WINDOWS\iprh32.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [ntxw32.exe] C:\WINDOWS\ntxw32.exe
    O4 - HKLM\..\Run: [qxmjojwda] C:\WINDOWS\System32\njqkny.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    let's try this:
    Please download this tool called about:Buster from:

    http://www.downloads.subratam.org/AboutBuster.zip

    Unzip it to your desktop but don't run it yet.

    Now start Hijackthis and tick the boxes next to these items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dkbdt.dll/sp.html#96676

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {30D83F56-DA50-B817-EF00-1DEB557B32F8} - C:\WINDOWS\iprh32.dll

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [ntxw32.exe] C:\WINDOWS\ntxw32.exe

    O4 - HKLM\..\Run: [qxmjojwda] C:\WINDOWS\System32\njqkny.exe


    Now close ALL windows and hit fix checked.
    Do not open internet explorer to come back here until after running the tool.it might be a good idea to print this before proceeding..

    Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    Once the tool is done scanning, copy the log and paste it into your thread.

    Restart your computer and post the report and a new Hijack this log.


    also i see no antivirus protection there..
    here is a free one:www.free-av.com
    download, install, update and do a full system scan

    a strange but suspivious exe here in your processes:C:\WINDOWS\mfczi.exe
    kill that with windows task manager, press ctrl+alt+del to open it, select processes tab, highlight the process C:\WINDOWS\mfczi.exe and click on end process, then locate the file C:\WINDOWS\mfczi.exe and rename it to mfczi.vir

    if it's not visible it probably has the system/hidden attribute, to enable showing of system and hidden files:

    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

    i'd like a copy of that file. can you zip it up with winzip and send it to me, illukka at dslr.net (without spaces) also send it to submit@diamondcs.com.au
     
  6. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Thank you so much! It seems to have worked. I am having trouble with zipping the folder you requested. I am not very informed on the zip thing. My computer unzips files automatically and I can't figure out how to make it zip them-- if you tell me what to do I will gladly send it. I did find the file though but its not showing in task manager. It WAS hidden and its called "prefetch". Should i just dump it? There is a bunch of stuff in there including, i think, my spider solitaire game that came standard with windows xp and is no where to be found now. By the way, I am missing word, excel, power point and a whole bunch of other stuff that comes with windows. Any ideas about how to recover those or am i just going to have to reinstall everything? Unfortunately, I closed down the Buster thing before copying the log. I was expecting there to be an option to save and then there wasn't. I am sorry about that. If there is some way I can recover it so that you may use it to help others, please let me know. Here is the log from hijack this:

    Logfile of HijackThis v1.98.0
    Scan saved at 12:13:54 AM, on 7/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [qxmjojwda] C:\WINDOWS\System32\njqkny.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    first you can safely delete everything inside that prefetch folder, but leave the folder. in fect its recommended to clean the prefetch every now and then.


    what do you mean that excel etc are not there?
    no icons, or what, do you still see them listed in control panel/ add remove programs?
    are the program folders still present at program files folder?

    there are some things you need to fix with hijackthis:

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

    O4 - HKLM\..\Run: [qxmjojwda] C:\WINDOWS\System32\njqkny.exe


    did the antivir find something? can you attach antivir scan log here? it's located in program files\avpersonal\logfiles
     
  8. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Okay, I deleted all the prefetch stuff and the two files from the hijack this log. Something is still going on because the antivirus you told me to download keeps finding trojans. But, as far as I can tell the computer is running as it should. Don't know if this is new stuff trying to get in or remnants of old stuff. Many windows components are completely missing. Nowhere on the hard drive at all, anywhere, at least in places I know to look. I have tried add/remove programs, search and exploring to no avail. Here is the anti virus report:

    Creation date of the report file: 05.07.2004 18:10

    AntiVir®/XP (2000 + NT) Personal Edition v6.26.00.00 of 27.05.2004
    VDF file v6.26.0.15 (0) of 05.07.2004


    This program is for PERSONAL USE only.
    Any other use is PROHIBITED.
    Informations regarding commercial versions of AntiVir may be obtained from:
    www.hbedv.com.


    Scanning for 87499 virus strains and unwanted programs.

    Licensed for: AntiVir Personal Edition
    Serial number: 0000149996-ADJIE-0001
    FUSE: Basic license

    Please enter the workstation and
    contact name with phone number in this form:

    Name ___________________________________________

    Street ___________________________________________

    Town ___________________________________________

    Phone/Fax ___________________________________________

    EMail ___________________________________________

    Platform: Windows NT Workstation
    Windows version: 5.1 Build 2600 (Service Pack 1)
    Username: Brooke Smith
    Processor: Pentium
    Working memory: 245228 KB free

    Version information:
    AVEWIN32.DLL : v6.26.0.3 430592 15.06.2004 07:42:20
    AVGNT.EXE : v6.26.00.03 122920 04.06.2004 09:09:06
    AVGUARD.EXE : v6.26.00.02 204840 14.05.2004 15:00:30
    GUARDMSG.DLL : v6.26.00.03 90152 26.05.2004 12:33:30
    AVGCMSG.DLL : v6.26.00.00 245800 26.05.2004 13:55:40
    AVGNTDD.SYS : v6.26.00.07 34016 25.05.2004 18:35:04
    AVPACK32.DLL : v6.22.00.24 299048 09.06.2004 16:05:52
    AVGETVER.DLL : v6.22.00.00 24576 20.01.2004 14:14:00
    AVWIN.DLL : v6.26.00.00 557096 27.05.2004 12:50:18
    AVSHLEXT.DLL : v6.22.00.00 57344 20.01.2004 14:14:00
    AVSched32.EXE : v6.23.00.00 110632 20.01.2004 14:14:00
    AVSched32.DLL : v6.23.00.00 122880 20.01.2004 14:14:00
    AVREG.DLL : v6.22.00.00 41000 20.01.2004 14:14:00
    AVRep.DLL : v6.26.00.08 483368 05.07.2004 18:02:06
    INETUPD.EXE : v6.26.00.01 200704 27.05.2004 12:50:44
    INETUPD.DLL : v6.26.00.01 143360 27.05.2004 12:50:44
    CTL3D32.DLL : v2.31.000 27136 18.08.2001 09:00:00
    MFC42.DLL : v6.00.8665.0 995383 18.08.2001 09:00:00
    MSVCRT.DLL : v7.0.2600.1106 (xpsp1.020828-1920
    MSVCRT.DLL : v7.0.2600.1106 323072 29.08.2002 05:41:08
    CTL3DV2.DLL : No information

    Configuration file:

    Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI
    Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG
    Start path: C:\Program Files\AVPersonal
    Command line:
    Start mode: Self-test

    Mode of report file:
    [ ] Do not create report
    [X] Overwrite report
    [ ] Append new report

    Data in report file:
    [X] Infected files
    [ ] Infected files with paths
    [ ] All scanned files
    [ ] Full information

    Abridge report file:
    [ ] Abridge report file

    Warnings in report:
    [X] Access denied/file locked
    [X] Wrong file size in directory
    [X] Wrong creation time in directory
    [ ] COM file is too large
    [X] Invalid start address
    [X] Invalid EXE header
    [X] Possibly damaged

    Summary report:
    [X] Create summary report
    Output file: AVWIN.ACT
    Maximum number of entries: 100

    Where to search:
    [X] Memory
    [X] Boot record of selected drives
    [ ] Report unknown boot sectors
    [ ] All files
    [X] Program files
    Extensions: .386 .ACM .ADE .ADP .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PIF .PKG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

    Response in case of a detection:
    [X] Repair with prompt
    [ ] Repair without prompt
    [ ] Delete with prompt
    [ ] Delete without prompt
    [ ] Write in report file only
    [X] Acoustic alarm

    Response in case of destroyed files:
    [X] Delete with prompt
    [ ] Delete without prompt
    [ ] Ignore

    Response in case of destroyed files:
    [X] No change
    [ ] Current system time
    [ ] Correct date

    Drag&drop settings:
    [X] Scan subdirectories

    Profile settings:
    [X] Scan subdirectories

    Archive options
    [X] Search archive
    [X] All archive types

    Miscellaneous options:
    Temporary path: %TEMP% -> C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp
    [X] Overwrite infected files
    [ ] Detect idle time
    [X] Allow interruptions of scan
    [X] Load AVWin®/NT Guard on System start

    General settings:
    [X] Save options on exiting AntiVir
    Priority: medium

    Initializing OK
    Memory test OK
    Master boot record of hard disk HD0 OK
    Boot record of drive C: OK
    System files
    boot.ini OK
    IO.SYS OK
    MSDOS.SYS OK
    NTDETECT.COM OK
    ntldr OK
    pagefile.sys OK
    System test: OK
    Self-test: OK
     
  9. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi

    well that wasn't the log i was after, i wanted to see what viruses were found and disinfected.

    as far as i know about buster doesn't uninstall microsoft office, i very much doubt that this is related to it,

    could be some of the other removals/scans that did it OR one of the backdoor infections you had there.. you know that the person controlling the backdoor can do anything to your computer...

    can you tell me the names and paths of the trojans that antivir keeps on finding?

    can you post a new log too, and a full startuplog from hjt( config> misc tools >create startuplist log)?

    do you have a firewall installed?

    here is some more info on how to secure your system
     
  10. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    Sorry...here are the log files from hijack this. I can't find the log for the anitvirus. There is no logfile option anywhere as far as I can tell and I did look. It actually doesn't give me a file name when it prompts, it just says that it has found a trojan and then options: fix file, wipe, delete, quarantine, etc. I keep choosing delete. I installed the antivirus you recommended. I think it is a firewall too... also have spyware blaster which is one right? I did have mcafee firewall/virus scan but dumped it one day last week in a fit at having spent $70 and still having problems. :rolleyes: Thanks for sticking it out with me, I really appreciate your time and effort.

    Logfile of HijackThis v1.98.0
    Scan saved at 8:34:05 PM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab






    StartupList report, 7/7/2004, 8:36:05 PM
    StartupList version: 1.52.2
    Started from : C:\hijackthis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    AVGCtrl = C:\Program Files\AVPersonal\AVGNT.EXE /min

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    {F897AA24-BDC3-11D1-B85B-00C04FB93981}_JOSEPH-3ML7OCXS_Brooke Smith.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]
    CODEBASE = http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37917.6794444444

    [{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]
    CODEBASE = http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [iTunesDetector Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ITDetector.ocx
    CODEBASE = http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\BROOKE~1\LOCALS~1\Temp\GLB1A2B.EXE


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,958 bytes
    Report generated in 0.020 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  11. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    actually, I was mistaken about the anti virus, this is what it says:

    C:\SYSTEM VOLUME INFORMATION\_RESTORE{C3D700E3-985C-4CF8-B31E-205782C70E07}\RP256\A0037205.DLL

    The Trojan horse TR/Dldr.WinSh.AC.05
     
  12. brookesmith

    brookesmith Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    8
    any more ideas?
     
Thread Status:
Not open for further replies.