Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hdmi hijackthis internet itunes keyboard laptop malware monitor network networking outlook problem ram recovery router screen slow sound spyware tdlwsp.dll trojan vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
[SOLVED] using HijackThis to remove wupdater.exe (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 2 of 3 1 2 3
 
Thread Tools
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
02-Jan-2004, 12:31 PM #16
This reply is for pf9647, I *think* see how confusing this gets??

Run HJT again and put checks against these:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574a...ip/RdxIE601.cab
O16 - DPF: {986DDE35-E955-11D0-A707-000000521958} - http://69.56.176.75/webplugin.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/i...uditControl.cab

Close all browser windows before clicking "fix checked".

Run lsp-fix from here http://www.cexx.org/lspfix.htm

Delete these folders
C:\Program Files\Common Files\slmss
C:\Program Files\Common files\updater
and this file
C:\WINDOWS\Belt.exe

Reboot your machine and post another log.
Last edited by cybertech : 02-Jan-2004 01:50 PM.
Register for free to hide this ad!
Dilton's Avatar
Junior Member with 10 posts.
  
Join Date: Jan 2004
02-Jan-2004, 01:22 PM #17
wupdater
Help!!!

Logfile of HijackThis v1.97.7
Scan saved at 1:29:31 AM, on 1/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Documents and Settings\Tom Pisuena\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...985.4061458333
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
02-Jan-2004, 01:48 PM #18
This reply is for Dilton:

Welcome to TSG, in the future please start your own post so things don't get confusing.

In Add/Remove programs, remove P2P Networking or you will continue to get infected.

Run HJT again and put checks against these:

R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Close all browser windows before clicking "fix checked".

Find and delete the following:
teekids.exe - - > File
mslaugh.exe- - > File

C:\WINDOWS\System32\P2P Networking - - > Folder
C:\Program Files\Common files\updater - - > Folder

Download Spybot http://tomcoyote.org/SPYBOT/index1.php

Make sure to follow the instructions for updates prior to running the scan.

Click on "Search For updates" After the search has completed, the available Updates will be listed. Choose which Updates you would like to Download. Click "Download updates." The Updates will self install. The screen will change again.
Sometimes the Default Download Location will produce an Error. If that happens, look in the right panel. There you will find a small arrow next to the name of the current Download site. Click on it for a list of alternate sites. One of those should be able to retrieve the files you have selected.

Download AdAware http://www.lavasoftusa.com/

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Adaware configuration
Then ........
Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

Then......
Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

Then.....
Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

Then...... click "proceed" to save your settings.

Reboot and post another HJT log and let's see what's left.
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 03:11 PM #19
I also have the same problem.
Below is my log:
Please tell me what to fix.

Logfile of HijackThis v1.97.7
Scan saved at 21:44:13, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Fast.exe
D:\WINDOWS\System32\taskswitch.exe
D:\WINDOWS\System32\fast.exe
D:\Program Files\Drivers\Iomega\DriveIcons\ImgIcon.exe
D:\WINDOWS\System32\CTHELPER.EXE
D:\program files\music software\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
D:\Program Files\Utilities\Active Desktop Calendar\ADC.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Software\GetRight\GETRIGHT.EXE
D:\Program Files\Internet Software\GetRight\GETRIGHT.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Nikos\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.777search.com"); (D:\Documents and Settings\Nikos\Application Data\Mozilla\Profiles\default\zwur8jji.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CInternet%20Software%5CNetscape%5CNetscape%206%5Cse archplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Nikos\Application Data\Mozilla\Profiles\default\zwur8jji.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - D:\Program Files\Internet Software\WebFerret\FerretBand.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Systran40stand.IEPlugIn - {EDDEB5CF-6CC3-11D6-ABAA-00B0D094B576} - D:\Program Files\Systran\4_0\Standard\IEPlugIn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [wcmdmgr] D:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] D:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Iomega Startup Options] D:\Program Files\Drivers\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] D:\Program Files\Drivers\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [mmtask] d:\program files\music software\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\video software\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpyStopper] D:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [updater] D:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] D:\Program Files\Utilities\Active Desktop Calendar\ADC.exe
O4 - Startup: clean.exe (2).lnk = J:\TEMP\CLEAN.EXE
O4 - Startup: clean.exe (3).lnk = E:\TEMP\clean.exe
O4 - Startup: clean.exe (4).lnk = F:\TEMP\clean.exe
O4 - Startup: CLEAN.EXE (5).lnk = C:\WINDOWS\TEMP\CLEAN.EXE
O4 - Startup: clean.exe.lnk = D:\TEMP\clean.exe
O4 - Startup: Task manager.lnk = D:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: Allow Popups - D:\Program Files\Internet Software\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download with GetRight - D:\Program Files\Internet Software\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\Internet Software\GetRight\GRbrowse.htm
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vertical.di.uoa.gr
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...987.5818171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://cdn.climaxbucks.com/internet-...istIOcrack.CAB
O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.climaxbucks.com/internet-.../MultiDist.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB05A486-361D-4C39-A226-6675700A8E93}: NameServer = 193.92.150.3 194.219.227.2
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 03:14 PM #20
I forgot to tell you that clean.exe is a program I created to empty all the temp folders on startup.
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
06-Jan-2004, 03:19 PM #21
Click on the link below to download CWshredder
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run the program and let it do it's thing.

Make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection.
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
06-Jan-2004, 03:25 PM #22
Post another log when you are done there may be some more cleanup to do.
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 03:39 PM #23
When I click scan only I get this:


CWShredder v1.43.0 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: D:\WINDOWS
Windows system dir: D:\WINDOWS\system32
AppData folder: D:\Documents and Settings\Nikos\Application Data
Username: Nikos

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] D:\WINDOWS\system32\userinit.exe,
Found Win.ini file: D:\WINDOWS\win.ini (1652 bytes, A)
Found System.ini file: D:\WINDOWS\system.ini (292 bytes, A)

- END OF REPORT -
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 03:42 PM #24
Done!
Your system was completely clean.

Windows XP (5.01.2600 SP1)
CWShredder v1.43.0
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit http://forums.spywareinfo.com/
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 03:52 PM #25
I am running the windows update. I'll' be back in one hour with the log.
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 04:14 PM #26
I deleted the contents of the folder :
D:\Program Files\Common Files\updater

where the wupdater.exe was. I hope that wasn't stupid.


I am now waiting for the windows update (I have a modem connection).

I run Spybot (I installed all the updates).

Below is the spybot logfile:

Alexa Related: What's related link (Replace file, nothing done)
D:\WINDOWS\Web\related.htm

Avenue A, Inc.: Tracking cookie or cookie of tracking site (File, nothing done)
D:\Documents and Settings\Nikos\Cookies\nikos@atdmt[2].txt

CommonName: Temporary directory (Directory, nothing done)
D:\WINDOWS\Temp\Adware

Cydoor: Cache for ads (Directory, nothing done)
D:\WINDOWS\System32\AdCache

Cydoor: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Cydoor

Cydoor: Internet library (Replace file, nothing done)
D:\WINDOWS\System32\cd_clint.dll

Cydoor: Settings for current user (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1801674531-1292428093-725345543-1003\Software\Cydoor

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1801674531-1292428093-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3

Gator: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Gator.com

Gator: Hidden identity (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}

MoneyTree: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\UNIDIST.UniDistCtrl.1

MoneyTree: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7}

MoneyTree: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{C89BB48C-15D9-4F4F-803E-95D90F62BE62}

MoneyTree: Downloaded program file (File, nothing done)
D:\WINDOWS\Downloaded Program Files\UniDist.ocx

MoneyTree: Downloaded program file (File, nothing done)
D:\WINDOWS\Downloaded Program Files\UniDist.inf

MoneyTree: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{CA7CCB52-6922-47E5-B784-3A3F82C51863}

MoneyTree: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9F2C17AC-9AA4-4C3A-82C7-EA7BCF00F03D}

MoneyTree: Module usage setting (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/UniDist.ocx

MoneyTree: Typelib (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{96B01A48-1317-4A87-91F7-10116F755705}

WildTangent: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wcmdmgr

WildTangent: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\WildTangent

WildTangent: Personal user ID (File, nothing done)
D:\WINDOWS\wt\info.txt

WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wcmd mgr.exe

WildTangent: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wtwe bdriver

WildTangent: Updater directory (Directory, nothing done)
D:\WINDOWS\wt\updater

WildTangent: Updates directory (Directory, nothing done)
D:\WINDOWS\wt\wtupdates

WildTangent: Web driver (File, nothing done)
D:\WINDOWS\wt\webdriver.dll

WildTangent: Web driver directory (Directory, nothing done)
D:\WINDOWS\wt\webdriver

Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1801674531-1292428093-725345543-1003\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=


--- Spybot-S&D version: 1.2 ---
2003-03-16 Includes\Cookies.sbi
2003-03-16 Includes\Dialer.sbi
2003-03-16 Includes\Hijackers.sbi
2003-03-16 Includes\Keyloggers.sbi
2003-03-16 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-03-16 Includes\Security.sbi
2003-03-16 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-03-16 Includes\Tracks.uti
2003-03-16 Includes\Trojans.sbi
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
06-Jan-2004, 05:16 PM #27
Can you post the HJT log?
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 05:21 PM #28
To conclude:

I run CWShredder and it found no problems.

I deleted the contents of the folder :
D:\Program Files\Common Files\updater

where the wupdater.exe was.

I uninstalled Wild Tagent programs (plugins for winamp).

I updated windows (all available security updates).
Last edited by nikos_nikos : 07-Jan-2004 04:16 PM.
nikos_nikos's Avatar
Junior Member with 9 posts.
  
Join Date: Jan 2004
06-Jan-2004, 08:06 PM #29
I removed some obvious stuff and here are my final logs
for HijackThis v1.97.7 , Ad-ware 6.0. and Spybot
Please tell me what has to be removed (I use adware version of Kazaa)



Logfile of HijackThis v1.97.7
Scan saved at 03:06:58, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\inetsrv\inetinfo.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\Fast.exe
D:\WINDOWS\System32\taskswitch.exe
D:\WINDOWS\System32\fast.exe
D:\Program Files\Drivers\Iomega\DriveIcons\ImgIcon.exe
D:\WINDOWS\System32\CTHELPER.EXE
D:\program files\music software\MUSICMATCH Jukebox\mmtask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\DVD Software\DVD5\WinDVD.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Nikos\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (D:\Documents and Settings\Nikos\Application Data\Mozilla\Profiles\default\zwur8jji.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CInternet%20Software%5CNetscape%5CNetscape%206%5Cse archplugins%5CSBWeb_01.src"); (D:\Documents and Settings\Nikos\Application Data\Mozilla\Profiles\default\zwur8jji.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx__SpybotSDDisabled (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - D:\Program Files\Internet Software\WebFerret\FerretBand.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - D:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Systran40stand.IEPlugIn - {EDDEB5CF-6CC3-11D6-ABAA-00B0D094B576} - D:\Program Files\Systran\4_0\Standard\IEPlugIn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CoolSwitch] D:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] D:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [Iomega Startup Options] D:\Program Files\Drivers\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] D:\Program Files\Drivers\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [mmtask] d:\program files\music software\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] D:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\video software\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SpyStopper] D:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Active Desktop Calendar] D:\Program Files\Utilities\Active Desktop Calendar\ADC.exe
O4 - Startup: clean.exe (2).lnk = J:\TEMP\CLEAN.EXE
O4 - Startup: clean.exe (3).lnk = E:\TEMP\clean.exe
O4 - Startup: clean.exe (4).lnk = F:\TEMP\clean.exe
O4 - Startup: CLEAN.EXE (5).lnk = C:\WINDOWS\TEMP\CLEAN.EXE
O4 - Startup: clean.exe.lnk = D:\TEMP\clean.exe
O4 - Startup: Task manager.lnk = D:\WINDOWS\system32\taskmgr.exe
O8 - Extra context menu item: Allow Popups - D:\Program Files\Internet Software\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Download with GetRight - D:\Program Files\Internet Software\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\Internet Software\GetRight\GRbrowse.htm
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: vertical.di.uoa.gr
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://cs5.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...987.5818171296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab






---------------------------------------------------------------------
Spybot (updated) log :
---------------------------------------------------------------------


MyWay.MyBar: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\MyWay\myBar

WhazIt: Installer (File, nothing done)
D:\WINDOWS\Downloaded Program Files\downloader.inf

Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1801674531-1292428093-725345543-1003\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=

Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=


--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-10-27 Includes\Dialer.sbi
2003-12-17 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-12-17 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-12-17 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-27 Includes\Tracks.uti
2003-12-10 Includes\Trojans.sbi




---------------------------------------------------------------------
Ad-ware 6.0 (updated) log :
---------------------------------------------------------------------




Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Τετάρτη, 7 Ιανουαρίου 2004 02:42:19
Created with Ad-aware Personal, free for private use.
Using reference-file :01R246 06.01.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R246 06.01.2004
Internal build : 173
File location : D:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 776473 Bytes
Signature data size : 761491 Bytes
Reference data size : 14918 Bytes
Signatures total : 17315
Target categories : 10
Target families : 394

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:50 %
Total physical memory:785904 kb
Available physical memory:392124 kb
Total page file size:1137044 kb
Available on page file:817064 kb
Total virtual memory:2097024 kb
Available virtual memory:2046576 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan within archives
Set : Scan my Hosts file


7-1-2004 02:42:19 - Scan started. (Custom mode)

Listing running processes
――――――――――――――――――――――――――――――――――――――

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-1-2004 23:45:29
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:45:38
BasePriority : High


#:3 [services.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:45:40
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:4 [lsass.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:45:40
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 29/8/2002 00:41:26

#:5 [svchost.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:45:42
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:6 [svchost.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:42
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:7 [spoolsv.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:45:46
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:8 [explorer.exe]
FilePath : D:\WINDOWS\
ThreadCreationTime : 6-1-2004 23:45:47
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 16/6/2003 03:12:58
Last accessed : 7/1/2004 00:21:04
Last modified : 29/8/2002 00:41:24

#:9 [inetinfo.exe]
FilePath : D:\WINDOWS\System32\inetsrv\
ThreadCreationTime : 6-1-2004 23:45:48
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
OriginalFilename : INETINFO.EXE
ProductName : Internet Information Services
Created on : 28/11/2003 13:25:44
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:10 [ctfmon.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:49
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 26/9/2002 14:36:37
Last accessed : 6/1/2004 23:42:56
Last modified : 29/8/2002 00:41:22

#:11 [mdm.exe]
FilePath : D:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 6-1-2004 23:45:49
BasePriority : Normal
FileSize : 328 KB
FileVersion : 7.10.3077
ProductVersion : 7.10.3077
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft
Created on : 19/3/2003 01:55:56
Last accessed : 6/1/2004 23:42:56
Last modified : 19/3/2003 01:55:56

#:12 [nvsvc32.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:49
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 6/10/2003 12:16:00
Last accessed : 6/1/2004 23:42:56
Last modified : 6/10/2003 12:16:00

#:13 [svchost.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:51
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 6/1/2004 23:42:56
Last modified : 23/8/2001 10:00:00

#:14 [fast.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:52
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5.1.3564.0 (Lab06_DEV(lamadio).011003-1729)
ProductVersion : 5.1.3564.0
CompanyName : Microsoft Corporation
FileDescription : Super Fast User Switcher
InternalName : Fast
OriginalFilename : Fast.EXE
ProductName : Microsoft
Created on : 8/10/2001 09:59:36
Last accessed : 6/1/2004 23:45:52
Last modified : 8/10/2001 09:59:36

#:15 [taskswitch.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:53
BasePriority : Normal
FileSize : 44 KB
Created on : 8/10/2001 09:59:36
Last accessed : 6/1/2004 23:42:56
Last modified : 8/10/2001 09:59:36

#:16 [fast.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:54
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5.1.3564.0 (Lab06_DEV(lamadio).011003-1729)
ProductVersion : 5.1.3564.0
CompanyName : Microsoft Corporation
FileDescription : Super Fast User Switcher
InternalName : Fast
OriginalFilename : Fast.EXE
ProductName : Microsoft
Created on : 8/10/2001 09:59:36
Last accessed : 6/1/2004 23:45:52
Last modified : 8/10/2001 09:59:36

#:17 [imgicon.exe]
FilePath : D:\Program Files\Drivers\Iomega\DriveIcons\
ThreadCreationTime : 6-1-2004 23:45:54
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6, 3, 0, 30
ProductVersion : 6, 3, 0, 30
Copyright : 6.3, Copyright
CompanyName : Iomega Corp.
FileDescription : IMGICON
InternalName : IMGICON
OriginalFilename : IMGICON.exe
ProductName : Iomega Corp. IMGICON 6.3
Created on : 6/6/2001 06:40:45
Last accessed : 6/1/2004 23:42:56
Last modified : 12/9/2001 08:35:31

#:18 [cthelper.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 6-1-2004 23:45:58
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Creative Technology Ltd
FileDescription : cthelper
InternalName : cthelper
OriginalFilename : cthelper.exe
ProductName : cthelper
Created on : 4/3/2003 17:52:38
Last accessed : 6/1/2004 23:42:56
Last modified : 7/2/2002 16:01:24

#:19 [mmtask.exe]
FilePath : D:\program files\music software\MUSICMATCH Jukebox\
ThreadCreationTime : 6-1-2004 23:46:00
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 23/5/2003 02:36:47
Last accessed : 6/1/2004 23:42:56
Last modified : 19/5/2003 08:21:00

#:20 [ccapp.exe]
FilePath : D:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-1-2004 23:46:02
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 21/12/2003 05:43:38
Last accessed : 6/1/2004 23:42:56
Last modified : 2/12/2003 14:11:04

#:21 [taskmgr.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 6-1-2004 23:46:15
BasePriority : High
FileSize : 125 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
OriginalFilename : taskmgr.exe
ProductName : Microsoft
Created on : 26/9/2002 14:35:53
Last accessed : 7/1/2004 00:23:50
Last modified : 29/8/2002 00:41:28

#:22 [ccevtmgr.exe]
FilePath : D:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-1-2004 23:46:17
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 13/11/2002 13:44:02
Last accessed : 7/1/2004 00:20:31
Last modified : 13/11/2002 13:44:02

#:23 [iexplore.exe]
FilePath : D:\Program Files\Internet Explorer\
ThreadCreationTime : 7-1-2004 00:00:42
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 26/9/2002 14:37:45
Last accessed : 7/1/2004 00:10:49
Last modified : 29/8/2002 00:41:26

#:24 [notepad.exe]
FilePath : D:\WINDOWS\system32\
ThreadCreationTime : 7-1-2004 00:13:35
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 23/8/2001 10:00:00
Last accessed : 7/1/2004 00:27:56
Last modified : 23/8/2001 10:00:00

#:25 [nero.exe]
FilePath : D:\Program Files\CD-Recorder\Nero\Nero\
ThreadCreationTime : 7-1-2004 00:22:15
BasePriority : High
FileSize : 4960 KB
FileVersion : 5, 5, 10, 28
ProductVersion : 5, 5, 10, 28
Copyright : Copyright (c) 1995-2003 Ahead Software AG
CompanyName : Ahead Software AG
FileDescription : Nero - Burning Rom
InternalName : Nero - Burning Rom
OriginalFilename : NERO.EXE
ProductName : LANGUAGE_English2
Created on : 28/5/2003 23:26:33
Last accessed : 7/1/2004 00:22:15
Last modified : 24/4/2003 15:07:50

#:26 [imapi.exe]
FilePath : D:\WINDOWS\System32\
ThreadCreationTime : 7-1-2004 00:22:17
BasePriority : Normal
FileSize : 121 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Image Mastering API
InternalName : imapi
OriginalFilename : imapi.exe
ProductName : Microsoft
Created on : 26/9/2002 14:36:29
Last accessed : 7/1/2004 00:22:17
Last modified : 29/8/2002 00:41:26

#:27 [ad-aware.exe]
FilePath : D:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-1-2004 00:40:57
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 6/1/2004 23:36:18
Last accessed : 7/1/2004 00:11:46
Last modified : 12/7/2003 20:00:20

Memory scan result :
――――――――――――――――――――――――――――――――――――――
New objects : 0
Objects found so far: 0


Started registry scan
――――――――――――――――――――――――――――――――――――――

Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}


Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :


Registry scan result :
――――――――――――――――――――――――――――――――――――――
New objects : 2
Objects found so far: 2


Started deep registry scan
――――――――――――――――――――――――――――――――――――――

Deep registry scan result :
――――――――――――――――――――――――――――――――――――――
New objects : 0
Objects found so far: 2


Deep scanning and examining files (D
――――――――――――――――――――――――――――――――――――――

NCase Object recognized!
Type : File
Data : kyf.dat
Category : Data Miner
Comment :
Object : D:\WINDOWS\
FileSize : 872 KB
Created on : 7/7/2003 06:18:23
Last accessed : 6/1/2004 23:55:24
Last modified : 7/7/2003 06:19:50



Whazit Object recognized!
Type : File
Data : whatzit.xml
Category : Malware
Comment :
Object : D:\WINDOWS\
FileSize : 1 KB
Created on : 7/7/2003 06:19:19
Last accessed : 6/1/2004 23:55:25
Last modified : 7/7/2003 06:19:19



Disk scan result for D:\
――――――――――――――――――――――――――――――――――――――
New objects : 0
Objects found so far: 4


Performing conditional scans..
――――――――――――――――――――――――――――――――――――――

NCase Object recognized!
Type : File
Data : fiz1
Category : Data Miner
Comment :
Object : d:\windows\

Created on : 7/7/2003 06:19:32
Last accessed : 6/1/2004 23:55:26
Last modified : 7/7/2003 06:19:32



Whazit Object recognized!
Type : File
Data : downloader.inf
Category : Malware
Comment :
Object : d:\windows\downloaded program files\

Created on : 3/7/2003 20:38:14
Last accessed : 6/1/2004 23:55:26
Last modified : 3/7/2003 20:38:14



Conditional scan result:
――――――――――――――――――――――――――――――――――――――
New objects : 2
Objects found so far: 6


02:51:52 Scan complete

Summary of this scan
――――――――――――――――――――――――――――――――――――――
Total scanning time :00:09:33:78
Objects scanned :164305
Objects identified :6
Objects ignored :0
New objects :6
cybertech's Avatar
Computer Specs
Moderator with 68,253 posts.
  
Join Date: Apr 2002
Location: Washington State
08-Jan-2004, 09:43 AM #30
Looks ok, are you having any problems?
Closed Thread Bookmark and Share
Page 2 of 3 1 2 3

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 07:12 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.