My computer is infested with trojans a highjacked start page cpu usage at full etc.

Discussion in 'adware, spyware & hijack cleaning' started by SourDiesel, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Ran spyware and adaware still cant get rid of coolwebservices

    Hello, I need some help fixing my comp currently running a windows XP environment. problems with many dlls including hce.dll idel.dll My homepage has been hacked by myexexex and for some odd reason my computer runs like 30 multiple instances of wowexec.exe and ntvdm.exe which brings my processes total too around 60 in the task manager. I figure this is going to take a while to fix. Any help would be appreciated. THANKS in advance. Josh

    Logfile of HijackThis v1.97.7
    Scan saved at 7:52:37 PM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\spad\inst.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Documents and Settings\Plouffe\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C38F504F-26F2-4962-A21F-75404E26716F} - C:\WINDOWS\System32\epapfoa.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE
    O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
    O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{884FD5B3-3F34-483F-92FE-FAC06B76CC77}: NameServer = 206.47.244.112 206.47.244.134
     
    Last edited: Jun 1, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: Ran spyware and adaware still cant get rid of coolwebservices

    Hi SourDiesel,

    Could you mail a copy of Explorer*.exe (NOTE the asterisk *)
    to the address in my profile

    Before you start, please move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These will now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex.com/search.php?said=spage&qq=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.com/search.php?said=spage
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\epapfoa.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O2 - BHO: (no name) - {C38F504F-26F2-4962-A21F-75404E26716F} - C:\WINDOWS\System32\epapfoa.dll

    O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\~2.EXE
    O4 - HKLM\..\Run: [Windows Explorer] Explorer*.exe

    O4 - HKLM\..\Run: [Microsoft Network Daemon for Win32] netd32.exe

    O4 - HKLM\..\RunServices: [Windows Explorer] Explorer*.exe
    O4 - HKLM\..\RunServices: [Microsoft Network Daemon for Win32] netd32.exe

    O13 - DefaultPrefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - WWW Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Home Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Mosaic Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - FTP Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=
    O13 - Gopher Prefix: http://www.myexexex.com/search.php?said=pfxp&qq=

    Then download and save this file as spad.reg https://www.wilderssecurity.com/attachment.php?attachmentid=137184

    Doubleclick it and confirm you want to merge it with the registry.

    Then reboot into safe mode and delete:
    c:\spad <= entire folder

    Next, download:
    http://tools.zerosrealm.com/dllfix.exe

    Doubleclick it and install in folder of choice on the root drive, in your case C:\

    1.Run start.bat and press option 1. 'output.txt' will be created in the folder

    (note : it's best to post that report together with a HijackThis log in your topic, so experts can have a look as well)

    2. IF hidden dll was successfully found, run start.bat again and choose option 2. Hit '1' and enter dll name manually.

    3. If dll was not found after first running start.bat :

    Run start.bat again and choose option '2'. You must reboot after doing so.

    4. Download and run AdAware : http://www.lavasoft.de/software/adaware/ (make sure you have latest updates) and run it.

    5. Ask for a new hijackthis log, a new output.txt after the fix

    6. You can also run CWShredder finally to clean up other entries.

    Regards,

    Pieter
     
  3. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Thankyou very much for your time Pieter, I believe my computer is free of the cool web services but I'm going to post my hijackthis log and the output from start.bat. There is one thing I found strange. After I cleaned my comp of CWS there was a new exe named xuj.exe do you know what it is?

    Logfile of HijackThis v1.97.7
    Scan saved at 7:44:37 PM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\documents and settings\monica\local settings\temp\xuJ.exe
    C:\documents and settings\monica\local settings\temp\xuJ.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [xuJ] C:\documents and settings\monica\local settings\temp\xuJ.exe
    O4 - HKLM\..\Run: [xuJ.exe] C:\documents and settings\monica\local settings\temp\xuJ.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{884FD5B3-3F34-483F-92FE-FAC06B76CC77}: NameServer = 206.47.244.112 206.47.244.134

    --==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
    --==***@@@ ORIGINAL BY FREEATLAST @@@***==--

    Wed 06/02/2004
    07:45 PM

    System Info:

    Microsoft Windows XP [Version 5.1.2600]
    C: "" (ECE4:7331) - FS:NTFS clusters:512
    Total: 15 019 328 512 [14G] - Free: 1 764 718 080 [1.6G]


    *IE version and Service packs:
    6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
    *Notepad version :
    5.1.2600.0 C:\WINDOWS\notepad.exe

    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    MinorVersion REG_SZ ;SP1;Q328970;Q324929;Q837009;Q832894;



    Locked or 'Suspect' file(s) found...
    \\?\C:\WINDOWS\System32\COMHGKD.DLL +++ File read error
    \\?\C:\WINDOWS\System32\COMHGKD.DLL +++ File read error


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710
    "Appinit_Dlls"=""

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    @=""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
    @="Web assistant"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    @="NAV Helper"

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


    ! REG.EXE VERSION 2.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_Dlls REG_SZ

    *Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (NI) ALLOW Read BUILTIN\Users
    (IO) ALLOW Read BUILTIN\Users
    (NI) ALLOW Read BUILTIN\Power Users
    (IO) ALLOW Read BUILTIN\Power Users
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access BUILTIN\Administrators
    (NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (NI) ALLOW Full access BUILTIN\Administrators
    (IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Read BUILTIN\Power Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM


    

    Lavasoft Ad-aware Personal Build 6.181
    Logfile created on :Wednesday, June 02, 2004 7:19:57 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R314 02.06.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry


    6-2-2004 7:19:57 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 6-2-2004 11:05:03 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:05:08 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:05:08 PM
    BasePriority : Normal
    FileSize : 99 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:08:33 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:4 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:05:08 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    OriginalFilename : lsass.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:08:53 PM
    Last modified : 8/29/2002 10:41:26 AM

    #:5 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:05:09 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:17:34 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-2-2004 11:05:09 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:17:34 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:7 [stylexpservice.exe]
    FilePath : C:\Program Files\TGTSoft\StyleXP\
    ThreadCreationTime : 6-2-2004 11:05:09 PM
    BasePriority : Normal
    FileSize : 292 KB
    FileVersion : 0, 10, 0, 3000
    ProductVersion : 0, 10, 0, 3000
    Copyright : Copyright 2001
    FileDescription : StyleXPService Module
    InternalName : StyleXPService
    OriginalFilename : StyleXPService.EXE
    ProductName : StyleXPService Module
    Created on : 9/5/2002 11:49:02 PM
    Last accessed : 6/2/2004 11:19:57 PM
    Last modified : 9/5/2002 11:49:02 PM

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-2-2004 11:05:09 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:17:34 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:9 [ccsetmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-2-2004 11:05:09 PM
    BasePriority : Normal
    FileSize : 229 KB
    FileVersion : 2.0.2.806
    ProductVersion : 2.0.2.806
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Settings Manager Service
    InternalName : ccSetMgr
    OriginalFilename : ccSetMgr.exe
    ProductName : Common Client
    Created on : 9/6/2003 12:20:50 AM
    Last accessed : 6/2/2004 11:08:06 PM
    Last modified : 9/6/2003 12:20:50 AM

    #:10 [ccevtmgr.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-2-2004 11:05:10 PM
    BasePriority : Normal
    FileSize : 249 KB
    FileVersion : 2.0.2.806
    ProductVersion : 2.0.2.806
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Event Manager Service
    InternalName : ccEvtMgr
    OriginalFilename : ccEvtMgr.exe
    ProductName : Common Client
    Created on : 9/6/2003 12:20:46 AM
    Last accessed : 6/2/2004 11:05:03 PM
    Last modified : 9/6/2003 12:20:46 AM

    #:11 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:05:17 PM
    BasePriority : Normal
    FileSize : 50 KB
    FileVersion : 5.1.2600.0 (XPClient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    OriginalFilename : spoolsv.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:09:04 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:12 [explorer.exe]
    FilePath : C:\WINDOWS\
    ThreadCreationTime : 6-2-2004 11:05:20 PM
    BasePriority : Normal
    FileSize : 980 KB
    FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
    ProductVersion : 6.00.2800.1106
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft
    Created on : 12/1/2002 5:23:23 PM
    Last accessed : 6/2/2004 11:08:22 PM
    Last modified : 8/29/2002 10:41:24 AM

    #:13 [ccproxy.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-2-2004 11:05:24 PM
    BasePriority : Normal
    FileSize : 213 KB
    FileVersion : 2.0.2.806
    ProductVersion : 2.0.2.806
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client Network Proxy Service
    InternalName : ccProxy
    OriginalFilename : ccProxy.exe
    ProductName : Common Client
    Created on : 9/6/2003 12:20:48 AM
    Last accessed : 6/2/2004 11:19:57 PM
    Last modified : 9/6/2003 12:20:48 AM

    #:14 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ThreadCreationTime : 6-2-2004 11:05:24 PM
    BasePriority : Normal
    FileSize : 112 KB
    FileVersion : 1, 2, 0, 0
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright (C) SEIKO EPSON CORP. 2000
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    OriginalFilename : SAgent2.exe
    ProductName : EPSON Bidirectional Printer
    Created on : 9/26/2002 8:25:37 PM
    Last accessed : 6/2/2004 11:08:33 PM
    Last modified : 11/17/2000 6:02:00 AM

    #:15 [ghosts~2.exe]
    FilePath : C:\PROGRA~1\Symantec\NORTON~1\
    ThreadCreationTime : 6-2-2004 11:05:25 PM
    BasePriority : Normal
    FileSize : 196 KB
    FileVersion : 2003.775
    ProductVersion : 2003.775
    Copyright : Copyright (C) 1998-2002 Symantec Corp. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton Ghost Start
    InternalName : GhostStartService
    OriginalFilename : GhostStartService.exe
    ProductName : Norton Ghost Start Service

    #:16 [navapsvc.exe]
    FilePath : C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\
    ThreadCreationTime : 6-2-2004 11:05:25 PM
    BasePriority : Normal
    FileSize : 154 KB
    FileVersion : 10.00.109
    ProductVersion : 10.00.109
    Copyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    OriginalFilename : NAVAPSVC.EXE
    ProductName : Norton AntiVirus
    Created on : 8/17/2003 11:34:02 PM
    Last accessed : 6/2/2004 11:08:45 PM
    Last modified : 8/17/2003 11:34:02 PM

    #:17 [nprotect.exe]
    FilePath : C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\
    ThreadCreationTime : 6-2-2004 11:05:25 PM
    BasePriority : Normal
    FileSize : 132 KB
    FileVersion : 16.00.0.22
    ProductVersion : 16.00.0.22
    Copyright : Copyright (C) 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Norton Protection Status
    InternalName : NPROTECT
    OriginalFilename : NPROTECT.EXE
    ProductName : Norton Utilities
    Created on : 5/25/2004 10:07:45 PM
    Last accessed : 6/2/2004 11:08:54 PM
    Last modified : 8/14/2002 10:03:00 AM

    #:18 [nvsvc32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-2-2004 11:05:34 PM
    BasePriority : Normal
    FileSize : 68 KB
    FileVersion : 6.14.10.4403
    ProductVersion : 6.14.10.4403
    Copyright : (C) NVIDIA Corporation. All rights reserved.
    CompanyName : NVIDIA Corporation
    FileDescription : NVIDIA Driver Helper Service, Version 44.03
    InternalName : NVSVC
    OriginalFilename : nvsvc32.exe
    ProductName : NVIDIA Driver Helper Service, Version 44.03
    Created on : 7/26/2003 5:27:23 PM
    Last accessed : 6/2/2004 11:08:54 PM
    Last modified : 5/2/2003 7:19:00 PM

    #:19 [sndsrvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-2-2004 11:05:34 PM
    BasePriority : Normal
    FileSize : 193 KB
    FileVersion : 5.2.0.108
    ProductVersion : 5.2
    Copyright : Copyright 2002, 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Symantec Network Driver Service
    InternalName : SndSrvc
    OriginalFilename : SndSrvc.exe
    ProductName : Symantec Security Drivers
    Created on : 8/31/2003 9:27:40 PM
    Last accessed : 6/2/2004 11:09:03 PM
    Last modified : 8/31/2003 9:27:40 PM

    #:20 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-2-2004 11:05:36 PM
    BasePriority : Normal
    FileSize : 12 KB
    FileVersion : 5.1.2600.0 (xpclient.010817-114:cool:
    ProductVersion : 5.1.2600.0
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:17:34 PM
    Last modified : 8/23/2001 4:00:00 PM

    #:21 [symlcsvc.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\CCPD-LC\
    ThreadCreationTime : 6-2-2004 11:05:36 PM
    BasePriority : Normal
    FileSize : 572 KB
    FileVersion : 1, 8, 48, 77
    ProductVersion : 1, 8, 48, 77
    Copyright : Copyright (C) 2003
    CompanyName : Symantec Corporation
    FileDescription : Symantec Core Component
    InternalName : symlcsvc
    OriginalFilename : symlcsvc.exe
    ProductName : Symantec Core Component
    Created on : 5/25/2004 10:01:03 PM
    Last accessed : 6/2/2004 11:09:05 PM
    Last modified : 5/25/2004 10:01:00 PM

    #:22 [savscan.exe]
    FilePath : C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\
    ThreadCreationTime : 6-2-2004 11:05:47 PM
    BasePriority : Normal
    FileSize : 189 KB
    FileVersion : 9.2.0.79
    ProductVersion : 9.2
    Copyright : Copyright (c) 2003 Symantec Corporation
    CompanyName : Symantec Corporation
    FileDescription : Symantec AntiVirus Scanner
    InternalName : SAVSCAN
    OriginalFilename : SAVSCAN.EXE
    ProductName : Symantec AntiVirus AutoProtect
    Created on : 8/10/2003 12:26:24 AM
    Last accessed : 6/2/2004 11:09:01 PM
    Last modified : 8/10/2003 12:26:24 AM

    #:23 [mmkeybd.exe]
    FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
    ThreadCreationTime : 6-2-2004 11:07:43 PM
    BasePriority : Normal
    FileSize : 160 KB
    FileVersion : 4.1.0
    ProductVersion : 1.00
    Copyright : Copyright
    CompanyName : Netropa Corp.
    FileDescription : Netropa(tm) Hot Key
    InternalName : Netropa Hot Key
    OriginalFilename : nhk.exe
    ProductName : Netropa Hot Key
    Created on : 8/31/2002 5:21:23 PM
    Last accessed : 6/2/2004 11:05:03 PM
    Last modified : 1/17/2002 5:18:42 AM

    #:24 [pstrip.exe]
    FilePath : C:\program files\powerstrip\
    ThreadCreationTime : 6-2-2004 11:07:48 PM
    BasePriority : Idle
    FileSize : 597 KB
    FileVersion : 4.10.03.49
    Copyright : Copyright
    CompanyName : EnTech Taiwan
    FileDescription : PowerStrip for Windows
    InternalName : PowerStrip
    OriginalFilename : pstrip.exe
    Created on : 2/7/2004 11:00:22 PM
    Last accessed : 6/2/2004 11:05:03 PM
    Last modified : 2/26/2004 3:31:18 AM

    #:25 [ccapp.exe]
    FilePath : C:\Program Files\Common Files\Symantec Shared\
    ThreadCreationTime : 6-2-2004 11:07:50 PM
    BasePriority : Normal
    FileSize : 69 KB
    FileVersion : 2.0.2.806
    ProductVersion : 2.0.2.806
    Copyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    CompanyName : Symantec Corporation
    FileDescription : Common Client User Session
    InternalName : ccApp
    OriginalFilename : ccApp.exe
    ProductName : Common Client
    Created on : 9/6/2003 12:20:44 AM
    Last accessed : 6/2/2004 11:05:03 PM
    Last modified : 9/6/2003 12:20:44 AM

    #:26 [devldr32.exe]
    FilePath : C:\WINDOWS\System32\
    ThreadCreationTime : 6-2-2004 11:07:51 PM
    BasePriority : Normal
    FileSize : 23 KB
    FileVersion : 1, 0, 0, 17
    ProductVersion : 1, 0, 0, 17
    Copyright : Copyright (C) Creative Technology Ltd. 1998-2001
    CompanyName : Creative Technology Ltd.
    FileDescription : DevLdr32
    InternalName : DevLdr
    OriginalFilename : DevLdr32.exe
    ProductName : Creative Ring3 NT Inteface
    Created on : 2/26/2003 2:43:16 AM
    Last accessed : 6/2/2004 11:07:51 PM
    Last modified : 8/18/2001 3:36:42 AM

    #:27 [traymon.exe]
    FilePath : C:\Program Files\Netropa\Multimedia Keyboard\
    ThreadCreationTime : 6-2-2004 11:07:58 PM
    BasePriority : Normal
    FileSize : 92 KB
    Created on : 8/31/2002 5:21:23 PM
    Last accessed : 6/2/2004 11:05:03 PM
    Last modified : 11/1/2001 8:07:26 AM

    #:28 [xuj.exe]
    FilePath : C:\documents and settings\monica\local settings\temp\
    ThreadCreationTime : 6-2-2004 11:08:03 PM
    BasePriority : Normal
    FileSize : 228 KB
    Created on : 6/2/2004 8:10:36 PM
    Last accessed : 6/2/2004 11:08:19 PM
    Last modified : 6/2/2004 8:10:36 PM

    #:29 [xuj.exe]
    FilePath : C:\documents and settings\monica\local settings\temp\
    ThreadCreationTime : 6-2-2004 11:08:04 PM
    BasePriority : Normal
    FileSize : 228 KB
    Created on : 6/2/2004 8:10:36 PM
    Last accessed : 6/2/2004 11:08:19 PM
    Last modified : 6/2/2004 8:10:36 PM

    #:30 [ntvdm.exe]
    FilePath : C:\WINDOWS\system32\
    ThreadCreationTime : 6-2-2004 11:08:04 PM
    BasePriority : Normal
    FileSize : 386 KB
    FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
    ProductVersion : 5.1.2600.1106
    CompanyName : Microsoft Corporation
    FileDescription : NTVDM.EXE
    InternalName : NTVDM.EXE
    OriginalFilename : NTVDM.EXE
    ProductName : Microsoft
    Created on : 8/23/2001 4:00:00 PM
    Last accessed : 6/2/2004 11:08:10 PM
    Last modified : 8/29/2002 10:41:28 AM

    #:31 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
    ThreadCreationTime : 6-2-2004 11:18:48 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 2/13/2004 12:02:02 AM
    Last accessed : 6/2/2004 11:18:48 PM
    Last modified : 7/13/2003 3:00:20 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"

    Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

    Possible Browser Hijack attempt Object recognized!
    Type : RegData
    Data : "about:blank"
    Rootkey : HKEY_USERS
    Object : .Default\Software\Microsoft\Internet Explorer\Main
    Value : Start Page
    Data : "about:blank"


    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 2
    Objects found so far: 3


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Tracking Cookie Object recognized!
    Type : File
    Data : alex@atdmt[2].txt
    Object : C:\Documents and Settings\Alex\Cookies\

    Created on : 5/29/2004 4:37:15 PM
    Last accessed : 6/2/2004 11:22:18 PM
    Last modified : 5/29/2004 4:37:15 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : alex@gator[1].txt
    Object : C:\Documents and Settings\Alex\Cookies\

    Created on : 5/29/2004 4:02:39 PM
    Last accessed : 6/2/2004 11:22:18 PM
    Last modified : 5/29/2004 4:02:39 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@atdmt[1].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 6/2/2004 8:56:35 PM
    Last accessed : 6/2/2004 11:22:50 PM
    Last modified : 6/2/2004 8:56:35 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@c.as-us.falkag[2].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 6/1/2004 4:19:12 AM
    Last accessed : 6/2/2004 11:22:50 PM
    Last modified : 6/1/2004 4:20:15 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@ehg-ignitemedia.hitbox[2].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 5/30/2004 2:44:16 AM
    Last accessed : 6/2/2004 11:22:50 PM
    Last modified : 5/30/2004 2:44:16 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@hitbox[1].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 5/30/2004 2:42:44 AM
    Last accessed : 6/2/2004 11:22:51 PM
    Last modified : 5/30/2004 2:44:16 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@paycounter[1].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 6/2/2004 3:52:37 AM
    Last accessed : 6/2/2004 11:22:51 PM
    Last modified : 6/2/2004 3:52:37 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@questionmarket[1].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 6/1/2004 4:11:29 AM
    Last accessed : 6/2/2004 11:22:51 PM
    Last modified : 6/1/2004 4:11:29 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : matthew 1@xxxcounter[2].txt
    Object : C:\Documents and Settings\Matthew 1\Cookies\

    Created on : 6/2/2004 3:54:33 AM
    Last accessed : 6/2/2004 11:22:53 PM
    Last modified : 6/2/2004 3:54:33 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : monica@ad-logics[1].txt
    Object : C:\Documents and Settings\Monica\Cookies\

    Created on : 6/2/2004 8:09:37 PM
    Last accessed : 6/2/2004 11:23:10 PM
    Last modified : 6/2/2004 8:09:37 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@2o7[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 6/2/2004 10:39:39 PM
    Last accessed : 6/2/2004 10:39:39 PM
    Last modified : 6/2/2004 10:39:39 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@c.as-us.falkag[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/29/2004 11:48:32 PM
    Last accessed : 6/2/2004 11:23:36 PM
    Last modified : 5/29/2004 11:48:32 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@cgi-bin[1].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/30/2004 6:28:21 PM
    Last accessed : 6/2/2004 11:23:37 PM
    Last modified : 5/30/2004 6:28:21 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@ehg-ati.hitbox[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/29/2004 2:18:21 AM
    Last accessed : 6/2/2004 11:23:38 PM
    Last modified : 5/29/2004 2:18:48 AM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@ehg-techtarget.hitbox[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/30/2004 5:11:56 PM
    Last accessed : 6/2/2004 11:23:38 PM
    Last modified : 5/30/2004 5:11:56 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@hitbox[1].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/30/2004 5:10:36 PM
    Last accessed : 6/2/2004 11:23:39 PM
    Last modified : 5/30/2004 5:11:56 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@tribalfusion[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/30/2004 5:10:37 PM
    Last accessed : 6/2/2004 11:23:43 PM
    Last modified : 5/30/2004 5:10:37 PM



    Tracking Cookie Object recognized!
    Type : File
    Data : plouffe@ttarget.adbureau[2].txt
    Object : C:\Documents and Settings\Plouffe\Cookies\

    Created on : 5/30/2004 5:11:54 PM
    Last accessed : 6/2/2004 11:23:43 PM
    Last modified : 5/30/2004 5:11:54 PM



    CoolWebSearch Object recognized!
    Type : File
    Data : backup-20040602-184851-565.dll
    Object : C:\Documents and Settings\Plouffe\My Documents\
    FileSize : 30 KB
    Created on : 6/2/2004 7:53:42 PM
    Last accessed : 6/2/2004 10:48:51 PM
    Last modified : 6/2/2004 7:53:42 PM



    WinFavorites Object recognized!
    Type : File
    Data : a.exe
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 40 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright
    OriginalFilename : a.exe
    Created on : 3/29/2004 9:44:36 PM
    Last accessed : 6/2/2004 11:35:33 PM
    Last modified : 3/29/2004 9:44:36 PM



    CoolWebSearch Object recognized!
    Type : File
    Data : bjod.dl$
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 30 KB
    Created on : 6/1/2004 3:11:48 AM
    Last accessed : 6/2/2004 11:35:41 PM
    Last modified : 6/1/2004 3:11:48 AM



    CoolWebSearch Object recognized!
    Type : File
    Data : epapfoa.dl$
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 30 KB
    Created on : 6/1/2004 11:42:10 PM
    Last accessed : 6/2/2004 11:36:08 PM
    Last modified : 6/1/2004 11:42:10 PM



    CoolWebSearch Object recognized!
    Type : File
    Data : hce.dl$
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 30 KB
    Created on : 6/1/2004 6:03:33 PM
    Last accessed : 6/2/2004 11:36:15 PM
    Last modified : 6/1/2004 6:03:33 PM



    CoolWebSearch Object recognized!
    Type : File
    Data : ldel.dl$
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 30 KB
    Created on : 5/31/2004 2:42:10 PM
    Last accessed : 6/2/2004 11:36:30 PM
    Last modified : 5/31/2004 2:42:10 PM



    SahAgent Object recognized!
    Type : File
    Data : lsp.dll
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 52 KB
    FileVersion : 1, 1, 1, 20
    ProductVersion : 1, 1, 1, 20
    Copyright : Copyright
    CompanyName : ITForum
    FileDescription : LSP
    InternalName : LSP
    OriginalFilename : LSP.DLL
    ProductName : ITForum LSP
    Created on : 3/30/2004 12:56:20 AM
    Last accessed : 6/2/2004 11:36:33 PM
    Last modified : 11/13/2003 10:35:00 AM



    SahAgent Object recognized!
    Type : File
    Data : sahagent1018.exe
    Object : C:\WINDOWS\SYSTEM32\
    FileSize : 53 KB
    Created on : 3/30/2004 12:56:12 AM
    Last accessed : 6/2/2004 11:37:17 PM
    Last modified : 3/30/2004 12:56:12 AM



    BlazeFind Object recognized!
    Type : File
    Data : 2_0_1browserhelper2.dll
    Object : C:\WINDOWS\
    FileSize : 213 KB
    Created on : 4/20/2004 7:49:32 PM
    Last accessed : 6/2/2004 11:37:50 PM
    Last modified : 4/20/2004 7:49:32 PM



    WinFavorites Object recognized!
    Type : File
    Data : 9148.exe
    Object : C:\WINDOWS\
    FileSize : 180 KB
    Created on : 3/29/2004 9:44:35 PM
    Last accessed : 6/2/2004 11:37:50 PM
    Last modified : 3/29/2004 9:44:36 PM



    VX2.BetterInternet Object recognized!
    Type : File
    Data : bi.ini
    Object : C:\WINDOWS\
    FileSize : 224 KB
    Created on : 4/20/2004 7:51:26 PM
    Last accessed : 6/2/2004 11:37:50 PM
    Last modified : 12/13/2003 2:48:18 PM



    New.Net Object recognized!
    Type : File
    Data : ndnuninstall4_88.exe
    Object : C:\WINDOWS\
    FileSize : 43 KB
    Created on : 5/28/2003 8:32:55 PM
    Last accessed : 6/2/2004 11:37:53 PM
    Last modified : 5/28/2003 8:32:55 PM



    DyFuCA Object recognized!
    Type : File
    Data : optimize.exe
    Object : C:\WINDOWS\
    FileSize : 68 KB
    Created on : 3/29/2004 9:44:39 PM
    Last accessed : 6/2/2004 11:37:54 PM
    Last modified : 3/29/2004 9:44:40 PM



    VX2.BetterInternet Object recognized!
    Type : File
    Data : preinstt.exe
    Object : C:\WINDOWS\
    FileSize : 32 KB
    Created on : 3/29/2004 11:04:13 PM
    Last accessed : 6/2/2004 11:37:54 PM
    Last modified : 2/11/2004 10:30:50 PM



    VX2.BetterInternet Object recognized!
    Type : File
    Data : twaintec.dll
    Object : C:\WINDOWS\
    FileSize : 136 KB
    FileVersion : 0, 1, 4, 19
    ProductVersion : 0, 1, 4, 19
    Copyright : Copyright
    CompanyName : Twain Tech
    FileDescription : www.twain-tech.com
    InternalName : Twaintec
    OriginalFilename : Twaintec.dll
    ProductName : Twaintec
    Created on : 3/29/2004 11:04:13 PM
    Last accessed : 6/2/2004 11:37:56 PM
    Last modified : 2/11/2004 10:30:52 PM



    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 36


    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Possible Browser Hijack attempt Object recognized!
    Type : Folder
    Object : c:\program files\PowerStrip


    WinFavorites Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : atl.registrar


    WinFavorites Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : CLSID\{44ec053a-400f-11d0-9dcd-00a0c90391d3}


    WinFavorites Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : Interface\{B88A3AF1-4F1B-4400-8FFB-3FCB108CE115}


    VX2.BetterInternet Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Dbi


    VX2.BetterInternet Object recognized!
    Type : File
    Data : bi.inf
    Object : c:\windows\inf\
    FileSize : 1 KB
    Created on : 4/20/2004 7:49:03 PM
    Last accessed : 6/2/2004 11:37:58 PM
    Last modified : 11/19/2003 2:56:38 PM



    VX2.BetterInternet Object recognized!
    Type : File
    Data : twtini.inf
    Object : c:\windows\inf\

    Created on : 4/10/2004 5:17:52 AM
    Last accessed : 6/2/2004 11:37:58 PM
    Last modified : 12/12/2003 12:51:04 PM



    VX2.BetterInternet Object recognized!
    Type : File
    Data : twaintec.ini
    Object : c:\windows\
    FileSize : 250 KB
    Created on : 4/10/2004 5:17:52 AM
    Last accessed : 6/2/2004 11:37:58 PM
    Last modified : 4/17/2004 5:11:30 AM



    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 9
    Objects found so far: 45


    7:41:48 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:21:51:285
    Objects scanned :137696
    Objects identified :45
    Objects ignored :0
    New objects :45
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi SourDiesel,

    That does not look very trustworthy.

    Bring up taskManager and stop the processes:
    xuJ.exe (there are two inthis log, but check to see if you stopped them all and if no new processes spawn from the Temp folder.

    Then find C:\documents and settings\monica\local settings\temp\xuJ.exe
    You will need to have hidden files visible:
    To "unhide" hidden files and folders:
    Launch My Computer from the Desktop Icon.
    Select View, Details.
    Select the Folders button.
    Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
    and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
    Like Current Folder (located near the top of the Folder Options box). Then select OK.

    Delete the file and Fix in HijackThis:
    O4 - HKLM\..\Run: [xuJ] C:\documents and settings\monica\local settings\temp\xuJ.exe
    O4 - HKLM\..\Run: [xuJ.exe] C:\documents and settings\monica\local settings\temp\xuJ.exe

    Then reboot, run HijackThis again and post the new log.

    Regards,

    Pieter
     
  5. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Ok I think we may have got rid of it for good. I was wondering if you also knew how to make notepad.exe work again. Thanks for your help man.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:09:57 PM, on 6/3/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  7. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Hi Pieter, the virus/trojan or whatever CWS is has come back again. I will post a new hijack this log.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:39:06 PM, on 6/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\DOCUME~1\Plouffe\LOCALS~1\Temp\hipc.dat
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi SourDiesel,

    I see no sign of CWS.
    But reboot into safe mode and use the DiskCleanup Tool to empty all your Temp folders to get rid of:
    C:\DOCUME~1\Plouffe\LOCALS~1\Temp\hipc.dat
    and everything that may have come with it.

    Then post a new (complete) HijackThis log and tell us how CWS manifests itself.

    Regards,

    Pieter
     
  9. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Re: My computer is infested with trojans a hijacked start page cpu usage at full etc.

    Ok will do, I also received a rundll error message for bridge.dll. Im going to reboot into safe and do the disk cleanup right now and post my results. I also heard I should run msconfig.exe and select all the startup processess so Ill do that as well.
     
  10. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Here it is:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:26:15 PM, on 6/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [OnSig] C:\Program Files\eMule\sig\online.sig.0.2.8rc1.bin.dragod\online.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\SVCHOST32.exe
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    It looks like you keep getting attacked by agobot or rbot worms

    you must do this to prevent them

    it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    I would do this immediately as well as it looks like your norton must not be working if it keeps letting them on

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    post back with the scan results and a new hijackthis log afterwards please

    it also looks like a backdoor hacker as well
    so
    I would strongly recommend downloading and running a specialised anti trojan
    lists here http://www.wilders.org/anti_trojans.htm

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  12. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Here are the results. No viruses found with the online virus scans. Scandump underneath

    Logfile of HijackThis v1.97.7
    Scan saved at 7:43:26 PM, on 6/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [OnSig] C:\Program Files\eMule\sig\online.sig.0.2.8rc1.bin.dragod\online.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{884FD5B3-3F34-483F-92FE-FAC06B76CC77}: NameServer = 206.47.244.112 206.47.244.134

    Scan Control Dumped @ 19:41:49 09-06-04
    RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load]

    Positive identification: Trojan.Win32.Dialer.bh
    File: c:\documents and settings\alex\local settings\temp\nbdg.dat

    Positive identification: Trojan.Win32.Dialer.bh
    File: c:\documents and settings\matthew 1\local settings\temp\bafb.dat

    Positive identification: Trojan.Win32.Dialer.bh
    File: c:\documents and settings\plouffe\local settings\temp\dacc.dat

    Positive identification: Trojan.Win32.Dialer.bh
    File: c:\documents and settings\plouffe\local settings\temp\hnje.dat

    Positive identification: Trojan.Win32.Dialer.bh
    File: c:\documents and settings\plouffe\local settings\temp\nkec.dat

    Positive identification: Adware.WinFetch
    File: c:\documents and settings\plouffe\local settings\temp\winwildapp.exe

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\plouffe\my documents\filez\applications\zonealarm\zonealarm pro 4.123.012.exe

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: c:\windows\key2.txt

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: c:\windows\unstsa2.exe

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: c:\windows\unstsa2.exe

    Suspicious Filename: Dual extensions
    File: f:\downloads\kazaa\divx.pro.v5.0.3.exe
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
    O4 - HKLM\..\Run: [OnSig] C:\Program Files\eMule\sig\online.sig.0.2.8rc1.bin.dragod\online.exe
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - Global Startup: GStartup.lnk = \GMT.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    c:\windows\key2.txt
    c:\windows\unstsa2.exe

    and Delete these folders
    C:\Program Files\Common Files\CMEII
    C:\Program Files\Common Files\GMT


    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R315 06.06.2004 or a higher number/later date
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  14. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Thanks for your help. My comp is running much faster now but still seems to have many open processes which slow it down. I found many trojans with TDS3 and removed them.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:09:30 PM, on 6/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
    C:\Documents and Settings\Plouffe\My Documents\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NvCplDmn] NAVSVC.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus1.exe"
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
     
  15. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    I think I may have found part of the problem and its in my temp folder there is a file called cmdlineext03.dll that i cannot delete it also contains a bunch of .dat files with random names that my Norton Internet Security keeps telling me they are trying to connect to the net
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If you had followed the FULL instructions earlier you would have got rid of the temp files

    Boot into safe mode
    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

    as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
    while in the temp folder, select view and select details.
    then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
    select all the files/folders except the today ones and delete them all.

    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally
     
  17. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Ok I have deleted all the temp files. I still get messages from norton internet security professional about random .dat files like looh.dat aemk.dat trying to to connect to a DNS server. What up with that?
     
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    where is norton saying it's finding these files

    please give us the location that the firewall says they are so we can find the best way to delete them
     
  19. SourDiesel

    SourDiesel Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    11
    Ok the location of the trojans that Norton Internet Security always picks up are located in my temp folders
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Saw your question earlier in the thread about notepad not working:
    If still so, please search your system for files size 0 bytes, which you might find among others in your TDS directory and other places.
    You might like to make sure with the NTFS Ads streams scan in TDS if such files are really empty and the size of those streams. Normally it's advised to ignore them smaller then 128 bytes, but in this case with infections you might like to check them all.

    About the 0bytes files: if really empty or ignorable, delete them.
    Most probably you'll hjave a notepad.exe and wordpad.exe 0 bytes file in TDS and maybe more locations. Windows creates them and so you can't use them anymore unless you go all to the original in the windows directory and start it from there.
    I made a shortcut to that on on my taskbar, always at hand. And i copied both wordpad and notepad from the original into the TDS directory. So Windows can make as many 0 bytes files as it wants, but notepad and wordpad keep working for me.

    Hope this helps for you too.


    One little question: you did install, scan and repair all the above all as an administrator i suppose?
     
Thread Status:
Not open for further replies.