searchx keeps coming back...

Discussion in 'adware, spyware & hijack cleaning' started by KOland, May 4, 2004.

Thread Status:
Not open for further replies.
  1. KOland

    KOland Guest

    I have run AdAware (latest build 6.181 and 01R302 03.05.2004
    installed, keeps finding and removing searchx) and spybot (1.2, finds nothing). I have also run HijackThis and removed the most blatant looking items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\recycled\dc614.dll/sp.html (obfuscated)
    O4 - HKLM\..\RunOnce: [_UnwiseF1] cmd.exe /c del C:\WINNT\system32\calsdr.dll

    cws.searchx keeps coming back -- usually around 9-10 and again about noon. In fact, it came back while typing this, adding lines back to the registry (after shredder and adware fixed it). Also, cannot run a system scan from trendmicro (crashes IE to try) or run SpyBlaster (just downloaded 3.1, from multiple sites, get "bad or infected by virus" msg when executed). System scan using FPROT (signatures 5/3/04) show no infected files. At one time, I found (and deleted) nocheat.jar .. no other .jar or .class files show in the temp internet files.

    Logs:

    avasoft Ad-aware Personal Build 6.181
    Logfile created on :Tuesday, May 04, 2004 1:08:49 PM
    Created with Ad-aware Personal, free for private use.
    Using reference-file :01R302 03.05.2004
    ______________________________________________________

    Ad-aware Settings
    =========================
    Set : Activate in-depth scan (Recommended)
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-aware Settings
    =========================
    Set : Unload recognized processes during scanning
    Set : Include basic Ad-aware settings in logfile
    Set : Include additional Ad-aware settings in logfile
    Set : Automatically try to unregister objects prior to deletion
    Set : Let windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Always back up reference file, before updating
    Set : Play sound if scan produced a result


    5/4/2004 1:08:49 PM - Scan started. (Custom mode)

    Listing running processes
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ThreadCreationTime : 5/4/2004 5:04:58 PM
    BasePriority : Normal


    #:2 [winlogon.exe]
    FilePath : \??\C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:09 PM
    BasePriority : High


    #:3 [services.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:11 PM
    BasePriority : Normal
    FileSize : 87 KB
    FileVersion : 5.00.2195.6700
    ProductVersion : 5.00.2195.6700
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    OriginalFilename : services.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:4 [lsass.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:11 PM
    BasePriority : Normal
    FileSize : 32 KB
    FileVersion : 5.00.2195.6695
    ProductVersion : 5.00.2195.6695
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : LSA Executable and Server DLL (Export Version)
    InternalName : lsasrv.dll and lsass.exe
    OriginalFilename : lsasrv.dll and lsass.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:5 [ibmpmsvc.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 5/4/2004 5:05:14 PM
    BasePriority : Normal
    FileSize : 48 KB
    FileVersion : 1, 0, 0, 0
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright (C) IBM Corp., 2000.
    CompanyName : IBM Corp.
    FileDescription : IBM ThinkPad PM Service
    InternalName : IBM ThinkPad PM Service
    OriginalFilename : IBMPMSVC.EXE
    ProductName : IBM ThinkPad Utility
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 11/13/2000 5:14:00 AM

    #:6 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:15 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    #:7 [svchost.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 5/4/2004 5:05:16 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    #:8 [spoolsv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:17 PM
    BasePriority : Normal
    FileSize : 44 KB
    FileVersion : 5.00.2195.6659
    ProductVersion : 5.00.2195.6659
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolss.exe
    OriginalFilename : spoolss.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 3/8/2002 8:21:20 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:9 [ati2evxx.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 5/4/2004 5:05:20 PM
    BasePriority : Normal
    FileSize : 60 KB
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/23/2000 8:29:56 PM

    #:10 [hidserv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:21 PM
    BasePriority : Normal
    FileSize : 19 KB
    FileVersion : 5.00.2195.6655
    ProductVersion : 5.00.2195.6655
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : HID Audio Service
    InternalName : hidserv
    OriginalFilename : HIDSERV.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 4/5/2004 7:39:27 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:11 [logoncmd.exe]
    FilePath : C:\Program Files\ThinkPad\TouchBoard\
    ThreadCreationTime : 5/4/2004 5:05:22 PM
    BasePriority : Normal
    FileSize : 32 KB
    Created on : 3/8/2002 8:44:54 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/14/2000 8:27:58 PM

    #:12 [regsvc.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:23 PM
    BasePriority : Normal
    FileSize : 66 KB
    FileVersion : 5.00.2195.6701
    ProductVersion : 5.00.2195.6701
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Remote Registry Service
    InternalName : regsvc
    OriginalFilename : REGSVC.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 7/20/2003 3:31:25 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:13 [mstask.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:24 PM
    BasePriority : Normal
    FileSize : 116 KB
    FileVersion : 4.71.2195.6704
    ProductVersion : 4.71.2195.6704
    Copyright : Copyright (C) Microsoft Corp. 1997
    CompanyName : Microsoft Corporation
    FileDescription : Task Scheduler Engine
    InternalName : TaskScheduler
    OriginalFilename : mstask.exe
    ProductName : Microsoft
    Created on : 7/20/2003 3:23:48 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:14 [tcpsvcs.exe]
    FilePath : C:\WINNT\System32\
    ThreadCreationTime : 5/4/2004 5:05:25 PM
    BasePriority : Normal
    FileSize : 24 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : TCP/IP Services Application
    InternalName : TCPSVCS.EXE
    OriginalFilename : TCPSVCS.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    #:15 [stisvc.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:26 PM
    BasePriority : Normal
    FileSize : 60 KB
    FileVersion : 5.00.2195.6656
    ProductVersion : 5.00.2195.6656
    Copyright : Copyright (C) Microsoft Corp. 1996-1997
    CompanyName : Microsoft Corporation
    FileDescription : Still Image Devices Monitor
    InternalName : STIMON
    OriginalFilename : STIMON.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 7/20/2003 3:34:36 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:16 [winmgmt.exe]
    FilePath : C:\WINNT\System32\WBEM\
    ThreadCreationTime : 5/4/2004 5:05:27 PM
    BasePriority : Normal
    FileSize : 192 KB
    FileVersion : 1.50.1085.0100
    ProductVersion : 1.50.1085.0100
    Copyright : Copyright (C) Microsoft Corp. 1995-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Management Instrumentation
    InternalName : WINMGMT
    ProductName : Windows Management Instrumentation
    Created on : 7/20/2003 3:39:37 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:17 [svchost.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:05:28 PM
    BasePriority : Normal
    FileSize : 7 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    OriginalFilename : svchost.exe
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    #:18 [explorer.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 5/4/2004 5:06:33 PM
    BasePriority : Normal
    FileSize : 237 KB
    FileVersion : 5.00.3700.6690
    ProductVersion : 5.00.3700.6690
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    OriginalFilename : EXPLORER.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 7/20/2003 3:01:25 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 6/19/2003 6:05:04 PM

    #:19 [tbsystry.exe]
    FilePath : C:\Program Files\UPDD\
    ThreadCreationTime : 5/4/2004 5:06:37 PM
    BasePriority : Normal
    FileSize : 292 KB
    FileVersion : 1, 0, 0, 1
    ProductVersion : 1, 0, 0, 1
    Copyright : Copyright (C) 1998
    FileDescription : SystemTray MFC Application
    InternalName : SystemTray
    OriginalFilename : SystemTray.EXE
    ProductName : SystemTray Application
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 11/9/2000 6:55:00 AM

    #:20 [tp4serv.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:37 PM
    BasePriority : Normal
    FileSize : 181 KB
    FileVersion : 2.08
    ProductVersion : 2.08
    Copyright : Copyright (C) IBM Corporation 1997-2000
    CompanyName : IBM Corporation
    FileDescription : IBM PS/2 TrackPoint Daemon
    InternalName : daemon.exe
    OriginalFilename : daemon.exe
    ProductName : IBM PS/2 TrackPoint Support
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 11/13/2000 6:08:00 AM

    #:21 [atiptaxx.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:37 PM
    BasePriority : Normal
    FileSize : 176 KB
    FileVersion : 4.12.2467
    ProductVersion : 4.12.2467
    Copyright : Copyright (C) 1998-2000 ATI Technologies Inc.
    CompanyName : ATI Technologies, Inc.
    FileDescription : ATI Task Icon
    InternalName : ATIPDSXX
    OriginalFilename : ATIPTAXX.DLL
    ProductName : ATI Desktop Component
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/14/2000 9:25:22 PM

    #:22 [ltcm000c.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:37 PM
    BasePriority : Normal
    FileSize : 100 KB
    FileVersion : 1, 0, 1, 7
    ProductVersion : 1.28(LT 1,0,1,7)
    Copyright : Copyright
    CompanyName : LUCENT TECHNOLOGIES
    FileDescription : ltmsg
    InternalName : ltmsg
    OriginalFilename : ltmsg.exe
    ProductName : Xircom Ltmsg
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/16/2000 4:37:42 PM

    #:23 [promon.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:37 PM
    BasePriority : Normal
    FileSize : 28 KB
    FileVersion : 1.11
    ProductVersion : 3.09
    Copyright : Copyright (C) 1998-2000 Intel Corporation. All Rights Reserved.
    CompanyName : Intel Corporation
    FileDescription : Intel(R) PROSet Tray Icon
    InternalName : Intel(R) PROMonitor
    OriginalFilename : PROMon.exe
    ProductName : Intel(R) PROMonitor
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 4/13/2000 3:34:18 PM

    #:24 [wpctrl.exe]
    FilePath : C:\Program Files\WinPortrait\
    ThreadCreationTime : 5/4/2004 5:06:38 PM
    BasePriority : Normal
    FileSize : 1144 KB
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/30/2000 4:10:00 PM

    #:25 [inkxfer.exe]
    FilePath : C:\Program Files\IBM\IBM Ink Manager Pro\
    ThreadCreationTime : 5/4/2004 5:06:39 PM
    BasePriority : Normal
    FileSize : 316 KB
    FileVersion : 1, 0, 11, 20
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright
    CompanyName : IBM Corporation
    FileDescription : IBM Ink Transfer
    InternalName : InkXfer
    OriginalFilename : InkXfer.EXE
    ProductName : IBM Ink Transfer
    Created on : 1/12/2001 9:19:08 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 1/12/2001 9:19:08 PM

    #:26 [pim.exe]
    FilePath : C:\Program Files\IBM\IBM Ink Manager Pro\
    ThreadCreationTime : 5/4/2004 5:06:40 PM
    BasePriority : Normal
    FileSize : 96 KB
    FileVersion : 1, 0, 11, 20
    ProductVersion : 1, 0, 0, 0
    Copyright : Copyright (C) 1998-2001
    CompanyName : IBM Corporation
    FileDescription : IBM Ink Manager Pro - PIM support
    InternalName : pim
    OriginalFilename : pim.EXE
    ProductName : IBM Ink Manager Pro
    Created on : 1/12/2001 9:22:44 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 1/12/2001 9:22:44 PM

    #:27 [rundll32.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:41 PM
    BasePriority : Normal
    FileSize : 9 KB
    FileVersion : 5.00.2134.1
    ProductVersion : 5.00.2134.1
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Run a DLL as an App
    InternalName : rundll
    OriginalFilename : RUNDLL.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    #:28 [tphkmgr.exe]
    FilePath : C:\PROGRA~1\ThinkPad\UTILIT~1\
    ThreadCreationTime : 5/4/2004 5:06:41 PM
    BasePriority : Normal
    FileSize : 52 KB
    Created on : 3/8/2002 8:51:55 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 10/12/2000 12:59:34 AM

    #:29 [prpcui.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:42 PM
    BasePriority : Normal
    FileSize : 32 KB
    FileVersion : 1.1.0.0
    ProductVersion : 1.1.0.0
    Copyright : Copyright
    CompanyName : Intel Corporation
    FileDescription : Intel(R) SpeedStep(TM) technology User Interface
    InternalName : prpcui.exe
    OriginalFilename : prpcui.exe
    ProductName : Intel(R) SpeedStep(TM) technology applet
    Created on : 3/8/2002 8:52:08 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 1/6/2000 12:00:00 PM

    #:30 [point32.exe]
    FilePath : C:\Program Files\Microsoft Hardware\Mouse\
    ThreadCreationTime : 5/4/2004 5:06:43 PM
    BasePriority : Normal
    FileSize : 164 KB
    FileVersion : 4.00.0657.1
    ProductVersion : 4.0
    Copyright : Copyright (C) Microsoft Corp. 1983-2001
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft IntelliPoint
    InternalName : POINT32
    OriginalFilename : POINT32.EXE
    ProductName : Microsoft IntelliPoint
    Created on : 8/23/2001 10:37:39 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/23/2001 10:37:40 PM

    #:31 [f-stopw.exe]
    FilePath : C:\Program Files\FSI\F-Prot\
    ThreadCreationTime : 5/4/2004 5:06:44 PM
    BasePriority : Normal
    FileSize : 284 KB
    FileVersion : 3.14C
    ProductVersion : 3.14C
    Copyright : Copyright
    CompanyName : Frisk Software International
    FileDescription : F-StopW Version 3.14C
    InternalName : F-StopW
    OriginalFilename : F-StopW.EXE
    ProductName : F-StopW NT/2000/XP
    Created on : 6/14/2003 1:13:14 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 2/5/2004 7:30:48 PM

    #:32 [f-sched.exe]
    FilePath : C:\Program Files\FSI\F-Prot\
    ThreadCreationTime : 5/4/2004 5:06:45 PM
    BasePriority : Normal
    FileSize : 316 KB
    FileVersion : 1, 0, 0, 7
    ProductVersion : 1, 0, 0, 7
    Copyright : Copyright (C) 1999 - 2003
    CompanyName : FRISK Software International
    FileDescription : Scheduler - Windows application
    InternalName : F-Scheduler
    OriginalFilename : F-Scheduler.exe
    ProductName : Scheduler for F-Prot for Windows
    Created on : 6/14/2003 1:13:13 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 4/7/2003 1:47:42 PM

    #:33 [qttask.exe]
    FilePath : C:\Program Files\QuickTime\
    ThreadCreationTime : 5/4/2004 5:06:47 PM
    BasePriority : Normal
    FileSize : 76 KB
    FileVersion : 6.3
    ProductVersion : QuickTime 6.3
    CompanyName : Apple Computer, Inc.
    InternalName : QuickTime Task
    OriginalFilename : QTTask.exe
    ProductName : QuickTime
    Created on : 8/16/2003 11:16:45 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/16/2003 11:16:46 PM

    #:34 [icqlite.exe]
    FilePath : C:\Program Files\ICQLite\
    ThreadCreationTime : 5/4/2004 5:06:47 PM
    BasePriority : Normal
    FileSize : 1673 KB
    FileVersion : 555
    ProductVersion : 1, 0, 0
    Copyright : Copyright (C) 2002
    CompanyName : ICQ Ltd.
    FileDescription : ICQLite
    InternalName : ICQ Lite
    OriginalFilename : ICQLite.exe
    ProductName : ICQLite
    Created on : 8/18/2003 10:18:39 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 9/29/2003 11:58:18 AM

    #:35 [bp_bg.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 5/4/2004 5:06:48 PM
    BasePriority : Normal
    FileSize : 116 KB
    FileVersion : 6.01.1000.0
    ProductVersion : 6.01.1000.0
    Copyright : Copyright (C) 1998-2003 Cypress Semiconductor
    CompanyName : Cypress Semiconductor
    FileDescription : Cypress USB Mass Storage Driver Background Application
    InternalName : CY_BG.EXE
    OriginalFilename : CY_BG.EXE
    ProductName : Cypress USB Mass Storage Adapter
    Created on : 12/3/2003 2:04:40 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 4/18/2003 3:30:10 PM

    #:36 [hplamp.exe]
    FilePath : C:\SCANJET\PrecisionScanPro\
    ThreadCreationTime : 5/4/2004 5:06:48 PM
    BasePriority : Normal
    FileSize : 41 KB
    Created on : 4/6/2004 1:36:50 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/23/1999 5:11:00 AM

    #:37 [realsched.exe]
    FilePath : C:\Program Files\Common Files\Real\Update_OB\
    ThreadCreationTime : 5/4/2004 5:06:49 PM
    BasePriority : Normal
    FileSize : 176 KB
    FileVersion : 0.1.0.3018
    ProductVersion : 0.1.0.3018
    Copyright : Copyright
    CompanyName : RealNetworks, Inc.
    FileDescription : RealNetworks Scheduler
    InternalName : schedapp
    OriginalFilename : realsched.exe
    ProductName : RealPlayer (32-bit)
    Created on : 4/11/2004 12:39:27 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 4/11/2004 12:39:28 AM

    #:38 [ctfmon.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:49 PM
    BasePriority : Normal
    FileSize : 8 KB
    FileVersion : 1.00.2409.7 built by: Lab06_N
    ProductVersion : 1.00.2409.7
    Copyright : Copyright (C) Microsoft Corporation. 1981-2001
    CompanyName : Microsoft Corporation
    FileDescription : Cicero Loader
    InternalName : CICLOAD
    OriginalFilename : CICLOAD.EXE
    ProductName : Microsoft(R) Windows NT(R) Operating System
    Created on : 2/20/2001 5:09:54 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 2/20/2001 5:09:54 PM

    #:39 [autochk.exe]
    FilePath : C:\CFGSAFE\
    ThreadCreationTime : 5/4/2004 5:06:50 PM
    BasePriority : Normal
    FileSize : 11 KB
    FileVersion : 3.06.01
    Copyright : Copyright
    CompanyName : imagine LAN, Inc.
    FileDescription : ConfigSafe Auto Check Program
    InternalName : AUTOCHK
    OriginalFilename : AUTOCHK.EXE
    Created on : 1/1/1980 4:00:00 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 1/10/2000 7:38:02 PM

    #:40 [tsproto.exe]
    FilePath : C:\WINNT\system32\
    ThreadCreationTime : 5/4/2004 5:06:50 PM
    BasePriority : Normal
    FileSize : 48 KB
    FileVersion : 1, 0, 11, 16
    ProductVersion : 0.10
    Copyright : Copyright (C) 1999-2001
    CompanyName : IBM Corporation
    FileDescription : tsproto Application
    InternalName : TSPROTO
    OriginalFilename : tsproto.EXE
    ProductName : IBM Ink Transfer
    Created on : 1/12/2001 9:11:20 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 1/12/2001 9:11:20 PM

    #:41 [wzqkpick.exe]
    FilePath : C:\Program Files\WinZip\
    ThreadCreationTime : 5/4/2004 5:06:51 PM
    BasePriority : Normal
    FileSize : 104 KB
    FileVersion : 1.0 (32-bit)
    ProductVersion : 8.1 (4319)
    Copyright : Copyright (c) WinZip Computing, Inc. 1991-2001 - All Rights Reserved
    CompanyName : WinZip Computing, Inc.
    FileDescription : WinZip Executable
    InternalName : WZQKPICK.EXE
    OriginalFilename : WZQKPICK.EXE
    ProductName : WinZip
    Created on : 6/24/2003 11:31:14 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 2/11/2003 12:10:00 PM

    #:42 [ad-aware.exe]
    FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
    ThreadCreationTime : 5/4/2004 5:06:51 PM
    BasePriority : Normal
    FileSize : 668 KB
    FileVersion : 6.0.1.181
    ProductVersion : 6.0.0.0
    Copyright : Copyright
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-aware 6 core application
    InternalName : Ad-aware.exe
    OriginalFilename : Ad-aware.exe
    ProductName : Lavasoft Ad-aware Plus
    Created on : 9/9/2003 1:20:12 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/13/2003 1:00:20 AM

    #:43 [qwdlls.exe]
    FilePath : C:\Program Files\QUICKENW\
    ThreadCreationTime : 5/4/2004 5:06:52 PM
    BasePriority : Normal
    FileSize : 36 KB
    FileVersion : 001.000.000.000
    ProductVersion : 009.000.000.000
    Copyright : Copyright
    CompanyName : Intuit
    FileDescription : Quicken Load DLLs
    InternalName : QWDLLS.EXE
    OriginalFilename : QWDLLS.EXE
    ProductName : Quicken 2002 for Windows
    Created on : 4/8/2004 2:18:24 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/1/2001 1:59:50 AM

    #:44 [bp_nint.exe]
    FilePath : C:\WINNT\
    ThreadCreationTime : 5/4/2004 5:06:55 PM
    BasePriority : Normal
    FileSize : 276 KB
    FileVersion : 6.01.1000.0
    ProductVersion : 6.01.1000.0
    Copyright : Copyright (C) 1998-2003 Cypress Semiconductor
    CompanyName : Cypress Semiconductor
    FileDescription : Cypress USB Mass Storage Driver Notification Icon Application
    InternalName : CY_NINT.EXE
    OriginalFilename : CY_NINT.EXE
    ProductName : Cypress USB Mass Storage Adapter
    Created on : 12/3/2003 2:04:41 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 4/18/2003 3:30:10 PM

    #:45 [hotsync.exe]
    FilePath : C:\Palm\
    ThreadCreationTime : 5/4/2004 5:06:56 PM
    BasePriority : Normal
    FileSize : 292 KB
    FileVersion : 4.0.4
    ProductVersion : 4.1.0
    Copyright : Copyright
    CompanyName : Palm, Inc.
    FileDescription : HotSync
    InternalName : HotSync
    OriginalFilename : Hotsync.exe
    ProductName : HotSync
    Created on : 8/9/2002 8:36:20 PM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 8/9/2002 8:36:20 PM

    #:46 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ThreadCreationTime : 5/4/2004 5:07:24 PM
    BasePriority : Normal
    FileSize : 59 KB
    FileVersion : 5.00.2920.0000
    ProductVersion : 5.00.2920.0000
    Copyright : Copyright (C) Microsoft Corp. 1981-1999
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    OriginalFilename : IEXPLORE.EXE
    ProductName : Microsoft(R) Windows (R) 2000 Operating System
    Created on : 3/8/2002 8:30:25 AM
    Last accessed : 5/4/2004 4:00:00 AM
    Last modified : 7/26/2000 9:00:00 AM

    Memory scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 0


    Started registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : SOFTWARE\Microsoft\Internet Explorer\Main
    Value : HOMEOldSP


    Registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 1
    Objects found so far: 1


    Started deep registry scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Deep registry scan result :
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Deep scanning and examining files (C:)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Disk scan result for C:\
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 0
    Objects found so far: 1


    Scanning Hosts file(C:\WINNT\system32\drivers\etc\hosts)
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    Hosts file scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    1 entries scanned.
    New objects :0
    Objects found so far: 1




    Performing conditional scans..
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/html


    CoolWebSearch Object recognized!
    Type : RegKey
    Data :
    Rootkey : HKEY_CLASSES_ROOT
    Object : PROTOCOLS\Filter\text/plain


    CoolWebSearch Object recognized!
    Type : RegValue
    Data :
    Rootkey : HKEY_CURRENT_USER
    Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
    Value : ITBarLayout


    Conditional scan result:
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    New objects : 3
    Objects found so far: 4


    1:26:05 PM Scan complete

    Summary of this scan
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    Total scanning time :00:17:14:687
    Objects scanned :130258
    Objects identified :4
    Objects ignored :0
    New objects :4

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 2000 (5.00.2195 SP4)
    Windows dir: C:\WINNT
    Windows system dir: C:\WINNT\system32
    AppData folder: C:\Documents and Settings\Oly\Application Data
    Username: oly

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant,http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    Infected data: res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (21 bytes, R)
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINNT\win.ini (655 bytes, A)
    Found System.ini file: C:\WINNT\system.ini (231 bytes, A)

    - END OF REPORT -

    Logfile of HijackThis v1.97.7
    Scan saved at 1:37:02 PM, on 5/4/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\ati2evxx.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\ThinkPad\TouchBoard\LOGONCMD.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\UPDD\TBSysTry.exe
    C:\WINNT\system32\tp4serv.exe
    C:\WINNT\system32\Atiptaxx.exe
    C:\WINNT\system32\ltcm000c.exe
    C:\WINNT\system32\Promon.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\Program Files\IBM\IBM Ink Manager Pro\InkXfer.exe
    C:\Program Files\IBM\IBM Ink Manager Pro\pim.exe
    C:\WINNT\system32\RunDll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\WINNT\bp_bg.exe
    C:\SCANJET\PrecisionScanPro\HPLamp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\ctfmon.exe
    C:\CFGSAFE\AUTOCHK.EXE
    C:\WINNT\system32\tsproto.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\WINNT\bp_nint.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\notepad.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Downloads\Get Rid of Spies\HiJackThis\HijackThis.exe
    C:\WINNT\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {58C3650B-779E-4F93-A4C3-510C2C617DB5} - C:\WINNT\system32\bdajbb.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
    O4 - HKLM\..\Run: [TBSysTry] C:\Program Files\UPDD\TBSysTry.exe
    O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [Ink Transfer] C:\Program Files\IBM\IBM Ink Manager Pro\InkXfer.exe
    O4 - HKLM\..\Run: [Ink QuickNote] C:\Program Files\IBM\IBM Ink Manager Pro\reminder.exe
    O4 - HKLM\..\Run: [Ink PIM] C:\Program Files\IBM\IBM Ink Manager Pro\pim.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [CY_BG] C:\WINNT\bp_bg.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} (EModelNonVersionSpecificViewControl Class) - http://www.solidworks.com/plugins/edrawings/download.cfm
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/119db738501b91d59200/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/sdccommon/download/en/IbmEgath.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37822.3201157407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = staffingtech.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = staffingtech.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = staffingtech.com
     
    KOland, May 4, 2004
    #1
  2. KOland

    KOland Guest

    Forgot this one. PV shows this:

    Possible bad file(s) found... (locked)
    \\?\C:\WINNT\System32\EVENTLOG.DLL +++ File read error
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    REGEDIT4

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
    @="AP Class Install Handler filter"
    "CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
    @="AP Deflate Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
    @="AP GZIP Encoding/Decoding Filter "
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
    @="AP lzdhtml encoding/decoding Filter"
    "CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

    [HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
    @="WebView MIME Filter"
    "CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

    =============
    The Eventlog.dll looks like the correct one from W2KSP4. It is also impossible to delete or rename normally. I did manage to delete it (with tools suggested from here) and replace it with the one in the servicepackinstalls directory for SP4 (same date, size, etc, as the one on my notebook at same version -- notebook has NO problems, just my desktop). I do not believe eventlog.dll is the problem.
     
    KOland, May 4, 2004
    #2
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi KOland,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\bdajbb.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {58C3650B-779E-4F93-A4C3-510C2C617DB5} - C:\WINNT\system32\bdajbb.dll

    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg

    O4 - HKLM\..\Run: [CY_BG] C:\WINNT\bp_bg.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/119db738501b91d59200/netzip/RdxIE601.cab

    Then reboot and delete:
    c:\winnt\tour.reg

    Then follow the instructions here:
    https://www.wilderssecurity.com/showpost.php?p=162440&postcount=4

    Regards,

    Pieter
     
    Pieter_Arntz, May 5, 2004
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...