hawkeye Posted November 2, 2004 Report Share Posted November 2, 2004 Ad-Aware SE Build 1.05Logfile Created on:Tuesday, November 02, 2004 1:39:46 PMCreated with Ad-Aware SE Personal, free for private use.Using definitions file:SE1R16 28.10.2004»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»References detected during the scan:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»180Solutions(TAC index:8):42 total referencesAlexa(TAC index:5):1 total referencesBlazeFind(TAC index:5):5 total referencesBookedSpace(TAC index:10):19 total referencesCoolWebSearch(TAC index:10):40 total referencesEbates MoneyMaker(TAC index:4):1 total referencesElitum.ElitebarBHO(TAC index:5):85 total referencesistbar.dotcomToolbar(TAC index:5):4 total referencesPossible Browser Hijack attempt(TAC index:3):111 total referencesPowerscan(TAC index:5):2 total referencesSearch Miracle(TAC index:5):1 total referencesTracking Cookie(TAC index:3):3 total referencesWin32.Backdoor.Agobot(TAC index:8):1 total referencesWinAD(TAC index:7):1 total referencesWindUpdates(TAC index:8):4 total referencesVX2(TAC index:10):79 total references»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Ad-Aware SE Settings===========================Set : Search for negligible risk entriesSet : Safe mode (always request confirmation)Set : Scan active processesSet : Scan registrySet : Deep-scan registrySet : Scan my IE Favorites for banned URLsSet : Scan my Hosts fileExtended Ad-Aware SE Settings===========================Set : Unload recognized processes & modules during scanSet : Scan registry for all users instead of current user onlySet : Always try to unload modules before deletionSet : During removal, unload Explorer and IE if necessarySet : Let Windows remove files in use at next rebootSet : Delete quarantined objects after restoringSet : Include basic Ad-Aware settings in log fileSet : Include additional Ad-Aware settings in log fileSet : Include reference summary in log fileSet : Include alternate data stream details in log fileSet : Play sound at scan completion if scan locates critical objects11-2-2004 1:39:46 PM - Scan started. (Full System Scan)Listing running processes»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»#:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 152 ThreadCreationTime : 11-2-2004 4:41:35 AM BasePriority : Normal#:2 [csrss.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 176 ThreadCreationTime : 11-2-2004 4:41:38 AM BasePriority : Normal#:3 [winlogon.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 172 ThreadCreationTime : 11-2-2004 4:41:40 AM BasePriority : High#:4 [services.exe] FilePath : C:\WINNT\system32\ ProcessID : 224 ThreadCreationTime : 11-2-2004 4:41:41 AM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : services.exe#:5 [lsass.exe] FilePath : C:\WINNT\system32\ ProcessID : 236 ThreadCreationTime : 11-2-2004 4:41:41 AM BasePriority : Normal FileVersion : 5.00.2184.1 ProductVersion : 5.00.2184.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : LSA Executable and Server DLL (Export Version) InternalName : lsasrv.dll and lsass.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : lsasrv.dll and lsass.exe#:6 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 372 ThreadCreationTime : 11-2-2004 4:41:43 AM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:7 [svchost.exe] FilePath : C:\WINNT\System32\ ProcessID : 420 ThreadCreationTime : 11-2-2004 4:41:44 AM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:8 [spoolsv.exe] FilePath : C:\WINNT\system32\ ProcessID : 476 ThreadCreationTime : 11-2-2004 4:41:45 AM BasePriority : Normal FileVersion : 5.00.2161.1 ProductVersion : 5.00.2161.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolss.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : spoolss.exe#:9 [avgamsvr.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 500 ThreadCreationTime : 11-2-2004 4:41:45 AM BasePriority : Normal FileVersion : 7,0,0,270 ProductVersion : 7.0.0.270 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Alert Manager InternalName : avgamsvr LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgamsvr.EXE#:10 [avgupsvc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 516 ThreadCreationTime : 11-2-2004 4:41:45 AM BasePriority : Normal FileVersion : 7,0,0,280 ProductVersion : 7.0.0.280 ProductName : AVG 7.0 Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Update Service InternalName : avgupsvc LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgupdsvc.EXE#:11 [hidserv.exe] FilePath : C:\WINNT\system32\ ProcessID : 544 ThreadCreationTime : 11-2-2004 4:41:46 AM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : HID Audio Service InternalName : hidserv LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : HIDSERV.EXE#:12 [appservices.exe] FilePath : C:\PROGRA~1\Iomega\System32\ ProcessID : 560 ThreadCreationTime : 11-2-2004 4:41:46 AM BasePriority : Normal FileVersion : 2, 0, 2, 5 ProductVersion : 2, 0, 2, 5 ProductName : Iomega App Services CompanyName : Iomega Corporation FileDescription : AppServices InternalName : AppServices LegalCopyright : Copyright © 2000 OriginalFilename : AppService.exe Comments : Iomega App Services For Windows 2000/NT#:13 [regsvc.exe] FilePath : C:\WINNT\system32\ ProcessID : 592 ThreadCreationTime : 11-2-2004 4:41:47 AM BasePriority : Normal FileVersion : 5.00.2155.1 ProductVersion : 5.00.2155.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Remote Registry Service InternalName : regsvc LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : REGSVC.EXE#:14 [mstask.exe] FilePath : C:\WINNT\system32\ ProcessID : 608 ThreadCreationTime : 11-2-2004 4:41:47 AM BasePriority : Normal FileVersion : 4.71.2137.1 ProductVersion : 4.71.2137.1 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright © Microsoft Corp. 1997 OriginalFilename : mstask.exe#:15 [winmgmt.exe] FilePath : C:\WINNT\System32\WBEM\ ProcessID : 668 ThreadCreationTime : 11-2-2004 4:41:48 AM BasePriority : Normal FileVersion : 1.50.1085.0001 ProductVersion : 1.50.1085.0001 ProductName : Windows Management Instrumentation CompanyName : Microsoft Corporation FileDescription : Windows Management Instrumentation InternalName : WINMGMT LegalCopyright : Copyright © Microsoft Corp. 1995-1999#:16 [adservice.exe] FilePath : C:\Program Files\Iomega\AutoDisk\ ProcessID : 684 ThreadCreationTime : 11-2-2004 4:41:49 AM BasePriority : Normal FileVersion : 3, 2, 1, 5 ProductVersion : 3, 2, 1, 5 ProductName : Iomega Active Disk CompanyName : Iomega Corporation FileDescription : Active Disk Service InternalName : ADService LegalCopyright : Copyright © 2002 OriginalFilename : ADService.exe#:17 [explorer.exe] FilePath : C:\WINNT\ ProcessID : 856 ThreadCreationTime : 11-2-2004 4:42:00 AM BasePriority : Normal FileVersion : 5.00.2920.0000 ProductVersion : 5.00.2920.0000 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : EXPLORER.EXE#:18 [adusermon.exe] FilePath : C:\Program Files\Iomega\AutoDisk\ ProcessID : 1048 ThreadCreationTime : 11-2-2004 4:42:26 AM BasePriority : Normal FileVersion : 3, 2, 1, 5 ProductVersion : 3, 2, 1, 5 ProductName : Iomega Active Disk CompanyName : Iomega Corporation FileDescription : Active Disk User Monitor InternalName : ADUserMon LegalCopyright : Copyright © 2002 OriginalFilename : ADUserMon.exe#:19 [imgicon.exe] FilePath : C:\Program Files\Iomega\DriveIcons\ ProcessID : 1056 ThreadCreationTime : 11-2-2004 4:42:26 AM BasePriority : Normal#:20 [loadqm.exe] FilePath : C:\WINNT\ ProcessID : 1084 ThreadCreationTime : 11-2-2004 4:42:27 AM BasePriority : Normal FileVersion : 5.4.1103.3 ProductVersion : 5.4.1103.3 ProductName : QMgr Loader CompanyName : Microsoft Corporation FileDescription : Microsoft QMgr InternalName : LOADQM.EXE LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : LOADQM.EXE#:21 [winampa.exe] FilePath : C:\Program Files\Winamp\ ProcessID : 1124 ThreadCreationTime : 11-2-2004 4:42:29 AM BasePriority : Normal#:22 [winadtools.exe] FilePath : C:\Program Files\Windows AdTools\ ProcessID : 1092 ThreadCreationTime : 11-2-2004 4:42:30 AM BasePriority : Normal WindUpdates Object Recognized! Type : Process Data : WinAdTools.exe Category : Data Miner Comment : full-search IE hijacker Object : C:\Program Files\Windows AdTools\Warning! WindUpdates Object found in memory(C:\Program Files\Windows AdTools\WinAdTools.exe)Warning! "C:\Program Files\Windows AdTools\WinAdTools.exe"Process could not be terminated!Warning! "C:\Program Files\Windows AdTools\WinAdTools.exe"Process could not be terminated!#:23 [winratchet.exe] FilePath : C:\Program Files\Windows AdTools\ ProcessID : 1160 ThreadCreationTime : 11-2-2004 4:42:31 AM BasePriority : Normal#:24 [avgcc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 1176 ThreadCreationTime : 11-2-2004 4:42:31 AM BasePriority : Normal FileVersion : 7,0,0,260 ProductVersion : 7.0.0.260 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Control Center InternalName : AvgCC LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : AvgCC.EXE#:25 [avgemc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 1184 ThreadCreationTime : 11-2-2004 4:42:32 AM BasePriority : Normal FileVersion : 7,0,0,279 ProductVersion : 7.0.0.279 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG E-Mail Scanner InternalName : avgemc LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgemc.exe#:26 [msnmsgr.exe] FilePath : C:\Program Files\MSN Messenger\ ProcessID : 1212 ThreadCreationTime : 11-2-2004 4:42:34 AM BasePriority : Normal FileVersion : 6.2.0137 ProductVersion : Version 6.2 ProductName : MSN Messenger CompanyName : Microsoft Corporation FileDescription : MSN Messenger InternalName : msnmsgr LegalCopyright : Copyright © Microsoft Corporation 1997-2004 LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries. OriginalFilename : msnmsgr.exe#:27 [netscp.exe] FilePath : C:\Program Files\Netscape\Netscape\ ProcessID : 1116 ThreadCreationTime : 11-2-2004 5:03:04 AM BasePriority : Normal#:28 [ad-aware.exe] FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\ ProcessID : 1244 ThreadCreationTime : 11-2-2004 5:39:07 AM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved#:29 [hh.exe] FilePath : C:\WINNT\ ProcessID : 1304 ThreadCreationTime : 11-2-2004 5:39:07 AM BasePriority : Normal FileVersion : 4.74.8702 ProductVersion : 4.74.8702 ProductName : HTML Help CompanyName : Microsoft Corporation FileDescription : Microsoft® HTML Help Executable InternalName : HH 1.3 LegalCopyright : Copyright © Microsoft Corp. OriginalFilename : HH.exeMemory scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 1Objects found so far: 1Started registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\180solutions CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{7b55bb05-0b4d-44fd-81a6-b136188f5deb} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{7b55bb05-0b4d-44fd-81a6-b136188f5deb} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : typelib\{00a322e2-7d50-4dba-bea4-5c8078d47269} CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{18e6c36a-c45f-4b60-a1a4-5c0bb16d4cc2} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : interface\{18e6c36a-c45f-4b60-a1a4-5c0bb16d4cc2} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : wer1306.wer1306 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : wer1306.wer1306 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : wer1306.wer1306.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : wer1306.wer1306.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{5321e378-ffad-4999-8c62-03ca8155f0b3} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{5321e378-ffad-4999-8c62-03ca8155f0b3} Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : replace.hbo.1 CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : replace.hbo.1 Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : replace.hbo CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : replace.hbo Value : CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{5321e378-ffad-4999-8c62-03ca8155f0b3} Value : Elitum.ElitebarBHO Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def} Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def} Value : Elitum.ElitebarBHO Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar Value : UninstallString Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar Value : DisplayName Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\uninstall\elitebar internet explorer toolbar Value : DisplayIcon Elitum.ElitebarBHO Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : AccountNumber Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : CountryCode Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : axparam Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : uninstalled Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : _show Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : FirstTimeStarted Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : SearchIndex Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : AutoComplete Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : ac1 Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : adult.tbr Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : default.tbr Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : search.mnu Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : version Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : path Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : UpdateDate Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : searchkeys Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : errorreport Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : excluded Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : keywords Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : city Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : state Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : country Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : Activated Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\backup\elitetoolbar Value : guid Elitum.ElitebarBHO Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : AccountNumber Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : CountryCode Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : axparam Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : uninstalled Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : _show Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : FirstTimeStarted Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : SearchIndex Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : AutoComplete Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : ac1 Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : adult.tbr Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : default.tbr Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : search.mnu Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : version Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : path Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : UpdateDate Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : searchkeys Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : errorreport Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : excluded Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : keywords Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : city Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : state Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : country Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : Activated Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\elitum\elitetoolbar Value : guid istbar.dotcomToolbar Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : istactivex.installer.2 istbar.dotcomToolbar Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : istactivex.installer.2 Value : istbar.dotcomToolbar Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : istactivex.installer istbar.dotcomToolbar Object Recognized! Type : RegValue Data : Category : Data Miner Comment : Rootkey : HKEY_CLASSES_ROOT Object : istactivex.installer Value : VX2 Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : localnrddll.localnrddllobj.1 VX2 Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : localnrddll.localnrddllobj.1 Value : VX2 Object Recognized! Type : Regkey Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad} VX2 Object Recognized! Type : RegValue Data : Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad} Value : 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "partner_id" Rootkey : HKEY_LOCAL_MACHINE Object : software\msbb Value : partner_id Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-1214440339-1677128483-839522115-500\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : "HOMEOldSP" Rootkey : HKEY_USERS Object : .DEFAULT\software\microsoft\internet explorer\main Value : HOMEOldSP Ebates MoneyMaker Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "AC" Rootkey : HKEY_USERS Object : S-1-5-21-1214440339-1677128483-839522115-500\software\lq Value : AC Elitum.ElitebarBHO Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}" Rootkey : HKEY_USERS Object : S-1-5-21-1214440339-1677128483-839522115-500\software\microsoft\internet explorer\toolbar\webbrowser Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF} Powerscan Object Recognized! Type : RegValue Data : Category : Malware Comment : "LoadNum" Rootkey : HKEY_LOCAL_MACHINE Object : software\powerscan Value : LoadNum Win32.Backdoor.Agobot Object Recognized! Type : RegValue Data : Category : Malware Comment : "sys29" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\run Value : sys29Registry Scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 89Objects found so far: 90Started deep registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Page\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main Value : Search Page Data : "file://C:\WINNT\TEMP\sp.html"Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Bar\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main Value : Search Bar Data : "file://C:\WINNT\TEMP\sp.html"Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistant\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search Value : SearchAssistant Data : "file://C:\WINNT\TEMP\sp.html" CoolWebSearch Object Recognized! Type : Regkey Data : Category : Malware Comment : C:\WINNT\System32\wer1306.dll Rootkey : HKEY_CLASSES_ROOT Object : CLSID\{CF021F40-3E14-23A5-CBA2-717765721306} CoolWebSearch Object Recognized! Type : RegValue Data : Category : Malware Comment : C:\WINNT\System32\wer1306.dll Rootkey : HKEY_CLASSES_ROOT Object : CLSID\{CF021F40-3E14-23A5-CBA2-717765721306} Value : CoolWebSearch Object Recognized! Type : File Data : wer1306.dll Category : Malware Comment : Object : c:\winnt\system32\ CoolWebSearch Object Recognized! Type : Regkey Data : C:\WINNT\System32\wer1306.dll Category : Malware Comment : Rootkey : HKEY_CLASSES_ROOT Object : TYPELIB\{CF021F32-3E14-23A5-CBA2-717765721306}Trusted zone presumably compromised : blazefind.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : blazefind.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : blazefind.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com Value : *Trusted zone presumably compromised : flingstone.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : flingstone.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : flingstone.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com Value : *Trusted zone presumably compromised : searchbarcash.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchbarcash.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchbarcash.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com Value : *Trusted zone presumably compromised : searchmiracle.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchmiracle.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchmiracle.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com Value : *Trusted zone presumably compromised : slotch.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : slotch.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : slotch.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com Value : *Trusted zone presumably compromised : xxxtoolbar.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : xxxtoolbar.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : xxxtoolbar.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com Value : *Trusted zone presumably compromised : blazefind.comTrusted zone presumably compromised : clickspring.net Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : clickspring.net Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : clickspring.net Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net Value : *Trusted zone presumably compromised : flingstone.comTrusted zone presumably compromised : mt-download.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : mt-download.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : mt-download.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com Value : *Trusted zone presumably compromised : my-internet.info Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : my-internet.info Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : my-internet.info Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info Value : *Trusted zone presumably compromised : searchbarcash.comTrusted zone presumably compromised : searchbarcash.comTrusted zone presumably compromised : searchmiracle.comTrusted zone presumably compromised : slotch.comDeep registry scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 24Objects found so far: 115Started Tracking Cookie scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@0[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:[email protected]/HTM/461/0 Expires : 7-16-2005 3:36:48 PM LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : [email protected][2].txt Category : Data Miner Comment : Hits:17 Value : Cookie:[email protected]/ Expires : 7-26-2004 1:38:44 PM LastSync : Hits:17 UseCount : 0 Hits : 17 Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@0[3].txt Category : Data Miner Comment : Hits:2 Value : Cookie:[email protected]/HTM/461/0 Expires : 7-16-2005 3:37:02 PM LastSync : Hits:2 UseCount : 0 Hits : 2Tracking cookie scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 3Objects found so far: 118Deep scanning and examining files (C:)»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» WinAD Object Recognized! Type : File Data : ide21201.vxd Category : Malware Comment : Object : C:\WINNT\system32\ VX2 Object Recognized! Type : File Data : twaintec.ini Category : Malware Comment : Object : C:\WINNT\ VX2 Object Recognized! Type : File Data : multimpp.dll Category : Malware Comment : Object : C:\WINNT\ FileVersion : 0, 5, 4, 35 ProductVersion : 0, 5, 4, 35 ProductName : multimpp CompanyName : Multimpp FileDescription : www.multimpp.com InternalName : multimpp LegalCopyright : Copyright © 2003 OriginalFilename : multimpp.dll Comments : www.multimpp.com BlazeFind Object Recognized! Type : File Data : Key2.txt Category : Malware Comment : Object : C:\WINNT\ 180Solutions Object Recognized! Type : File Data : msbbhook.dll Category : Data Miner Comment : Object : C:\WINNT\ VX2 Object Recognized! Type : File Data : localNRD.dll Category : Malware Comment : Object : C:\WINNT\ FileVersion : 0, 4, 4, 30 ProductVersion : 0, 4, 4, 30 ProductName : localnrd CompanyName : LocalNRD FileDescription : www.localnrd.com InternalName : localnrd LegalCopyright : Copyright © 2004 OriginalFilename : localnrd.dll Comments : www.localnrd.com 180Solutions Object Recognized! Type : File Data : msbb.exe_tobedeleted Category : Data Miner Comment : Object : C:\WINNT\ FileVersion : 5, 12, 0, 13 ProductVersion : 5, 12, 0, 13 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2004, 180solutions Inc. Elitum.ElitebarBHO Object Recognized! Type : File Data : preInsln.exe Category : Data Miner Comment : Object : C:\WINNT\ VX2 Object Recognized! Type : File Data : preInMPP.exe Category : Malware Comment : Object : C:\WINNT\ Search Miracle Object Recognized! Type : File Data : silent_install[1].exe Category : Malware Comment : Object : C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\I3M7YXEN\ FileVersion : 1, 0, 0, 1 ProductVersion : 1, 0, 0, 1Object "mxTarget.dll" found in this archive. VX2 Object Recognized! Type : File Data Link to post Share on other sites
hawkeye Posted November 2, 2004 Author Report Share Posted November 2, 2004 Logfile of HijackThis v1.98.2Scan saved at 3:09:37 PM, on 11/2/2004Platform: Windows 2000 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINNT\system32\hidserv.exeC:\PROGRA~1\Iomega\System32\AppServices.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\Program Files\Iomega\AutoDisk\ADService.exeC:\WINNT\Explorer.exeC:\Program Files\Iomega\AutoDisk\ADUserMon.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\WINNT\loadqm.exeC:\Program Files\Winamp\Winampa.exeC:\Program Files\Windows AdTools\WinRatchet.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Netscape\Netscape\Netscp.exeC:\PROGRA~1\LAVASOFT\AD-AWA~1\AD-AWARE.EXEC:\Program Files\Windows AdTools\WinAdTools.exeC:\WINNT\system32\NOTEPAD.EXEC:\Documents and Settings\Administrator\Desktop\Temp for Z\HijackThis19802.exeF3 - REG:win.ini: run=C:\WINNT\System32\services\stat.exeN3 - Netscape 7: # Mozilla User Preferences/* Do not edit this file. * * If you make changes to this file while the browser is running, * the changes will be overwritten when the browser exits. * * To make a manual change to preferences, you can visit the URL about:config * For more information, see http://www.mozilla.org/unix/customizing.html#prefs */user_pref(".aim.session.autologin", false);user_pref(".aim.session.password", "0");user_pref(".aim.session.storepassword", false);user_pref("Pauline.aim.session.autologin", false);user_pref("Pauline.aim.session.connectionname", "AIM");user_pref("Pauline.aim.session.password", "0");user_pref("Pauline.aim.session.storepassword", false);user_pref("aim.session.finishedwizard", true);user_pref("aim.session.firsttime", false);user_pref("aim.session.latestaimscreenname", "Pauline");user_pref("aim.session.userconnectionname", "ICQ");user_pref("browser.activation.checkedNNFlag", true);user_pref("browser.bookmarks.added_static_root", true);user_preO2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\System32\services\2.01.00.dll (file missing)O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exeO4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exeO4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTARTO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exeO4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\twink64.exe internat.dll,LoadKeyboardProfileO4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exeO4 - HKLM\..\Run: [sys29] C:\winnt\system32\winynl32.exeO4 - HKLM\..\Run: [xpsystem] C:\WINNT\System32\services\stat.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [xpsystem] C:\WINNT\System32\services\stat.exeI have also deleted 2 other items which i cannot restore, please help me.Thank you.RegardsHawkeye. Link to post Share on other sites
robroy Posted November 2, 2004 Report Share Posted November 2, 2004 Welcome aboard HawkeyeSomebody who can help will be along eventuallyJD Link to post Share on other sites
hawkeye Posted November 11, 2004 Author Report Share Posted November 11, 2004 Hello Robroy,Thank you,i've not been able to get to the the computer the last few days.Sadly i cannot seen any solutions for my problems yet or maybe i'm too new to this and don't know the right way to view the forum? well i hope someone will give me some help soon.Nice chatting with you and have a good day.RegardsHawkeye Link to post Share on other sites
robroy Posted November 11, 2004 Report Share Posted November 11, 2004 trying to get you helpJD Link to post Share on other sites
Besttechie Posted November 11, 2004 Report Share Posted November 11, 2004 Hi,First off, you don't have HJT in a Permanent folder. Click My Computer, then C:\ In the menu bar, File->New->Folder. That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it. This will allow backups to be made and saved By hijackthis in case something goes wrong Follow this link http://www.netstar.me.uk/hjt/hjt.html if you need help. Then open the task manager (Ctrl + Alt + Del)Stop these two processes.WinRatchet.exeWinAdTools.exeThen in close all explorer windows except HijackThis. Then have HijackThis fix these entries.F3 - REG:win.ini: run=C:\WINNT\System32\services\stat.exe........O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exeO4 - HKLM\..\Run: [ControlPanel] C:\WINNT\System32\twink64.exe internat.dll,LoadKeyboardProfileO4 - HKLM\..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exeO4 - HKLM\..\Run: [sys29] C:\winnt\system32\winynl32.exeO4 - HKLM\..\Run: [xpsystem] C:\WINNT\System32\services\stat.exe.......Then boot into Safe Mode and delete the following files and folders.Once in Safe Mode make sure you show all hidden files and folders.How to unhide hidden files and foldersC:\WINNT\System32\twink64.exeDelete the twink64.exe file.C:\Program Files\Windows AdTools\WinAdTools.exeDelete the Windows AdTools folder.C:\winnt\system32\winynl32.exeDelete the winynl32.exe file.C:\WINNT\System32\services\stat.exeDelete the stat.exe file.Then once your done reboot and run:Housecall Virus ScanSelect the auto clean option. After that's done post a new HijackThis logfile, and we will check to make sure you are clean.B Link to post Share on other sites
hawkeye Posted November 11, 2004 Author Report Share Posted November 11, 2004 Hello BestTechie,Thank you so much for all the info, sorry to tell you that i'm really an idiot when it comes to stuff like this so it will take some time for me to understand your whole explanation. I will try my best to do exactly as told and hope you can guide me again when anymore problems come up.Before i read your post i did a scan with Ad Aware and have saved the log, please take a look at it and see if there are any problems i'm having.Its posted right below. Thank you very much again for all the help and time taken,have a wonderful day.RegardsHawkeyeAd-Aware SE Build 1.05Logfile Created on:Friday, November 12, 2004 12:28:04 AMCreated with Ad-Aware SE Personal, free for private use.Using definitions file:SE1R16 28.10.2004»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»References detected during the scan:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»180Solutions(TAC index:8):35 total referencesAlexa(TAC index:5):1 total referencesElitum.ElitebarBHO(TAC index:5):1 total referencesMRU List(TAC index:0):20 total referencesPossible Browser Hijack attempt(TAC index:3):111 total referencesTopMoxie(TAC index:3):1 total referencesTracking Cookie(TAC index:3):3 total referencesWin32.Backdoor.Agobot(TAC index:8):1 total references»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Ad-Aware SE Settings===========================Set : Search for negligible risk entriesSet : Safe mode (always request confirmation)Set : Scan active processesSet : Scan registrySet : Deep-scan registrySet : Scan my IE Favorites for banned URLsSet : Scan my Hosts fileExtended Ad-Aware SE Settings===========================Set : Unload recognized processes & modules during scanSet : Scan registry for all users instead of current user onlySet : Always try to unload modules before deletionSet : During removal, unload Explorer and IE if necessarySet : Let Windows remove files in use at next rebootSet : Delete quarantined objects after restoringSet : Include basic Ad-Aware settings in log fileSet : Include additional Ad-Aware settings in log fileSet : Include reference summary in log fileSet : Include alternate data stream details in log fileSet : Play sound at scan completion if scan locates critical objects11/12/2004 12:28:04 AM - Scan started. (Smart mode)Listing running processes»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»#:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 152 ThreadCreationTime : 11/11/2004 4:25:37 PM BasePriority : Normal#:2 [csrss.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 176 ThreadCreationTime : 11/11/2004 4:25:48 PM BasePriority : Normal#:3 [winlogon.exe] FilePath : \??\C:\WINNT\system32\ ProcessID : 172 ThreadCreationTime : 11/11/2004 4:25:50 PM BasePriority : High#:4 [services.exe] FilePath : C:\WINNT\system32\ ProcessID : 224 ThreadCreationTime : 11/11/2004 4:25:51 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : services.exe#:5 [lsass.exe] FilePath : C:\WINNT\system32\ ProcessID : 236 ThreadCreationTime : 11/11/2004 4:25:51 PM BasePriority : Normal FileVersion : 5.00.2184.1 ProductVersion : 5.00.2184.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : LSA Executable and Server DLL (Export Version) InternalName : lsasrv.dll and lsass.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : lsasrv.dll and lsass.exe#:6 [svchost.exe] FilePath : C:\WINNT\system32\ ProcessID : 372 ThreadCreationTime : 11/11/2004 4:25:53 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:7 [svchost.exe] FilePath : C:\WINNT\System32\ ProcessID : 420 ThreadCreationTime : 11/11/2004 4:25:54 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : svchost.exe#:8 [spoolsv.exe] FilePath : C:\WINNT\system32\ ProcessID : 468 ThreadCreationTime : 11/11/2004 4:25:54 PM BasePriority : Normal FileVersion : 5.00.2161.1 ProductVersion : 5.00.2161.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolss.exe LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : spoolss.exe#:9 [avgamsvr.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 500 ThreadCreationTime : 11/11/2004 4:25:55 PM BasePriority : Normal FileVersion : 7,0,0,270 ProductVersion : 7.0.0.270 ProductName : AVG Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Alert Manager InternalName : avgamsvr LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgamsvr.EXE#:10 [avgupsvc.exe] FilePath : C:\PROGRA~1\Grisoft\AVG7\ ProcessID : 516 ThreadCreationTime : 11/11/2004 4:25:55 PM BasePriority : Normal FileVersion : 7,0,0,280 ProductVersion : 7.0.0.280 ProductName : AVG 7.0 Anti-Virus System CompanyName : GRISOFT, s.r.o. FileDescription : AVG Update Service InternalName : avgupsvc LegalCopyright : Copyright © 2004, GRISOFT, s.r.o. OriginalFilename : avgupdsvc.EXE#:11 [hidserv.exe] FilePath : C:\WINNT\system32\ ProcessID : 544 ThreadCreationTime : 11/11/2004 4:25:55 PM BasePriority : Normal FileVersion : 5.00.2134.1 ProductVersion : 5.00.2134.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : HID Audio Service InternalName : hidserv LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : HIDSERV.EXE#:12 [appservices.exe] FilePath : C:\PROGRA~1\Iomega\System32\ ProcessID : 556 ThreadCreationTime : 11/11/2004 4:25:56 PM BasePriority : Normal FileVersion : 2, 0, 2, 5 ProductVersion : 2, 0, 2, 5 ProductName : Iomega App Services CompanyName : Iomega Corporation FileDescription : AppServices InternalName : AppServices LegalCopyright : Copyright © 2000 OriginalFilename : AppService.exe Comments : Iomega App Services For Windows 2000/NT#:13 [regsvc.exe] FilePath : C:\WINNT\system32\ ProcessID : 596 ThreadCreationTime : 11/11/2004 4:25:56 PM BasePriority : Normal FileVersion : 5.00.2155.1 ProductVersion : 5.00.2155.1 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Remote Registry Service InternalName : regsvc LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : REGSVC.EXE#:14 [mstask.exe] FilePath : C:\WINNT\system32\ ProcessID : 616 ThreadCreationTime : 11/11/2004 4:25:57 PM BasePriority : Normal FileVersion : 4.71.2137.1 ProductVersion : 4.71.2137.1 ProductName : Microsoft® Windows® Task Scheduler CompanyName : Microsoft Corporation FileDescription : Task Scheduler Engine InternalName : TaskScheduler LegalCopyright : Copyright © Microsoft Corp. 1997 OriginalFilename : mstask.exe#:15 [winmgmt.exe] FilePath : C:\WINNT\System32\WBEM\ ProcessID : 672 ThreadCreationTime : 11/11/2004 4:25:58 PM BasePriority : Normal FileVersion : 1.50.1085.0001 ProductVersion : 1.50.1085.0001 ProductName : Windows Management Instrumentation CompanyName : Microsoft Corporation FileDescription : Windows Management Instrumentation InternalName : WINMGMT LegalCopyright : Copyright © Microsoft Corp. 1995-1999#:16 [adservice.exe] FilePath : C:\Program Files\Iomega\AutoDisk\ ProcessID : 688 ThreadCreationTime : 11/11/2004 4:25:59 PM BasePriority : Normal FileVersion : 3, 2, 1, 5 ProductVersion : 3, 2, 1, 5 ProductName : Iomega Active Disk CompanyName : Iomega Corporation FileDescription : Active Disk Service InternalName : ADService LegalCopyright : Copyright © 2002 OriginalFilename : ADService.exe#:17 [explorer.exe] FilePath : C:\WINNT\ ProcessID : 892 ThreadCreationTime : 11/11/2004 4:26:11 PM BasePriority : Normal FileVersion : 5.00.2920.0000 ProductVersion : 5.00.2920.0000 ProductName : Microsoft® Windows ® 2000 Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : Copyright © Microsoft Corp. 1981-1999 OriginalFilename : EXPLORER.EXE#:18 [ad-aware.exe] FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\ ProcessID : 868 ThreadCreationTime : 11/11/2004 4:26:18 PM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights ReservedMemory scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 0Started registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 180Solutions Object Recognized! Type : Regkey Data : Category : Data Miner Comment : Rootkey : HKEY_LOCAL_MACHINE Object : software\180solutions 180Solutions Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "partner_id" Rootkey : HKEY_LOCAL_MACHINE Object : software\msbb Value : partner_id Alexa Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}" Rootkey : HKEY_USERS Object : S-1-5-21-1214440339-1677128483-839522115-500\software\microsoft\internet explorer\extensions\cmdmapping Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a} TopMoxie Object Recognized! Type : RegValue Data : Category : Data Miner Comment : "WebRebates0" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\run Value : WebRebates0 Win32.Backdoor.Agobot Object Recognized! Type : RegValue Data : Category : Malware Comment : "sys29" Rootkey : HKEY_LOCAL_MACHINE Object : software\microsoft\windows\currentversion\run Value : sys29Registry Scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 5Objects found so far: 5Started deep registry scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Page\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main Value : Search Page Data : "file://C:\WINNT\TEMP\sp.html"Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Bar\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main Value : Search Bar Data : "file://C:\WINNT\TEMP\sp.html"Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistant\temp\sp.html Possible Browser Hijack attempt Object Recognized! Type : RegData Data : "file://C:\WINNT\TEMP\sp.html" Category : Malware Comment : Possible Browser Hijack attempt Rootkey : HKEY_USERS Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search Value : SearchAssistant Data : "file://C:\WINNT\TEMP\sp.html"Trusted zone presumably compromised : blazefind.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : blazefind.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : blazefind.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\blazefind.com Value : *Trusted zone presumably compromised : flingstone.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : flingstone.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : flingstone.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\flingstone.com Value : *Trusted zone presumably compromised : searchbarcash.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchbarcash.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchbarcash.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchbarcash.com Value : *Trusted zone presumably compromised : searchmiracle.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchmiracle.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : searchmiracle.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com Value : *Trusted zone presumably compromised : slotch.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : slotch.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : slotch.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com Value : *Trusted zone presumably compromised : xxxtoolbar.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : xxxtoolbar.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : xxxtoolbar.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com Value : *Trusted zone presumably compromised : blazefind.comTrusted zone presumably compromised : clickspring.net Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : clickspring.net Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : clickspring.net Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net Value : *Trusted zone presumably compromised : flingstone.comTrusted zone presumably compromised : mt-download.com Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : mt-download.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : mt-download.com Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com Value : *Trusted zone presumably compromised : my-internet.info Possible Browser Hijack attempt Object Recognized! Type : Regkey Data : Category : Vulnerability Comment : Trusted zone presumably compromised : my-internet.info Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info Possible Browser Hijack attempt Object Recognized! Type : RegValue Data : Category : Vulnerability Comment : Trusted zone presumably compromised : my-internet.info Rootkey : HKEY_LOCAL_MACHINE Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info Value : *Trusted zone presumably compromised : searchbarcash.comTrusted zone presumably compromised : searchbarcash.comTrusted zone presumably compromised : searchmiracle.comTrusted zone presumably compromised : slotch.comDeep registry scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 21Objects found so far: 26Started Tracking Cookie scan»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@0[1].txt Category : Data Miner Comment : Hits:1 Value : Cookie:[email protected]/HTM/461/0 Expires : 7/16/2005 3:36:48 PM LastSync : Hits:1 UseCount : 0 Hits : 1 Tracking Cookie Object Recognized! Type : IECache Entry Data : [email protected][2].txt Category : Data Miner Comment : Hits:17 Value : Cookie:[email protected]/ Expires : 7/26/2004 1:38:44 PM LastSync : Hits:17 UseCount : 0 Hits : 17 Tracking Cookie Object Recognized! Type : IECache Entry Data : administrator@0[3].txt Category : Data Miner Comment : Hits:2 Value : Cookie:[email protected]/HTM/461/0 Expires : 7/16/2005 3:37:02 PM LastSync : Hits:2 UseCount : 0 Hits : 2Tracking cookie scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 3Objects found so far: 29Deep scanning and examining files...»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 180Solutions Object Recognized! Type : File Data : msbbhook.dll Category : Data Miner Comment : Object : C:\WINNT\ 180Solutions Object Recognized! Type : File Data : msbb.exe_tobedeleted Category : Data Miner Comment : Object : C:\WINNT\ FileVersion : 5, 12, 0, 13 ProductVersion : 5, 12, 0, 13 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2004, 180solutions Inc.Disk Scan Result for C:\WINNT»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 31Disk Scan Result for C:\WINNT\System32»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 31 180Solutions Object Recognized! Type : File Data : msbb.exe Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XoftSpyBackup\5\FLEOK\ FileVersion : 5, 9, 0, 7 ProductVersion : 5, 9, 0, 7 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2004, 180solutions Inc. 180Solutions Object Recognized! Type : File Data : ncmyb.dll Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XoftSpyBackup\5\ 180Solutions Object Recognized! Type : File Data : msbb.exe_tobedeleted Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XoftSpyBackup\5\ FileVersion : 5, 9, 0, 7 ProductVersion : 5, 9, 0, 7 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2004, 180solutions Inc. 180Solutions Object Recognized! Type : File Data : 11 Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XoftSpyBackup\ 180Solutions Object Recognized! Type : File Data : 12 Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XoftSpyBackup\ FileVersion : 5, 9, 0, 7 ProductVersion : 5, 9, 0, 7 ProductName : Search Assistant CompanyName : 180solutions, Inc. FileDescription : Search Assistant LegalCopyright : Copyright © 2004, 180solutions Inc. Elitum.ElitebarBHO Object Recognized! Type : File Data : 1289263.dll Category : Data Miner Comment : Object : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ FileVersion : 1, 0, 0, 53 ProductVersion : 1, 0, 0, 53 ProductName : EliteToolBar Dynamic Link Library FileDescription : EliteToolBar DLL InternalName : EliteToolBar LegalCopyright : Copyright © 2004 OriginalFilename : EliteToolBar.DLLDisk Scan Result for C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»New critical objects: 0Objects found so far: 37Scanning Hosts file......Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»Hosts file scan result:»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»54 entries scanned.New critical objects:0Objects found so far: 37 Possible Browser Hijack attempt Object Recognized! Type : File Data : Pornosphere.url Category : Misc Comment : Problematic URL discovered: searchmiracle.com/links/?account=waveflow&domain=cb&cat=www.pornosphere.com/index.html?23 Object : C:\Documents and Settings\Administrator\Favorites\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Online Casinos.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Online Casinos Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Sport Betting.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...q=Sport+Betting Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Sportsbooks.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Sportsbooks Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Online Betting.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...=Online+Betting Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Blackjack.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ia&qq=Blackjack Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Baccarat.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...dia&qq=Baccarat Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Online Gaming.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Online Gaming Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Poker.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...emedia&qq=Poker Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Bingo.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...emedia&qq=Bingo Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Horse Racing.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...emedia&qq=Horse Racing Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Slot Machines.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...nemedia&qq=Slot Machines Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Betting.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...edia&qq=Betting Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Roulette.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...dia&qq=Roulette Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adult.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...emedia&qq=Adult Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Escorts.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...edia&qq=Escorts Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Online Dating.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...q=Online+Dating Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Sex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...anemedia&qq=Sex Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Penis Enlargement.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...nis+Enlargement Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Teen Sex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...nemedia&qq=Teen Sex Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Single Girls.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...qq=Single+Girls Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Lesbian Sex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Lesbian+Sex Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Hardcore Sex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...dia&qq=Hardcore Sex Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Free Sex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...nemedia&qq=Free Sex Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Sexual Enhancement.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Sexual Enhancement Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Xxx Video.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...anemedia&qq=Xxx Video Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Xxx Movie.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...anemedia&qq=Xxx Movie Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Breast Enlargement.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Breast Enlargement Object : C:\Documents and Settings\Administrator\Favorites\Casino & Adult\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Debt Consolidation.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...nemedia&qq=Debt Consolidation Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Credit.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Credit Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Credit Reports.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...=Credit+Reports Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Refinance.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ia&qq=Refinance Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Home Mortgages.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...=Home+Mortgages Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Loans.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...emedia&qq=Loans Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Asset Protection.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...sset+Protection Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Insurance.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ia&qq=Insurance Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Bad Credit.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...anemedia&qq=Bad Credit Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Bankruptcy.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...a&qq=Bankruptcy Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Cash Advance.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...qq=Cash+Advance Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Debt Relief.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Debt+Relief Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Business.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...dia&qq=Business Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Small business.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...=small+business Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Work At Home.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...qq=work+at+home Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Marketing.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ia&qq=Marketing Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : e commerce.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...a&qq=e+commerce Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Advertising.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Advertising Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Project Management.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ject+Management Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Business opportunity.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...ess+opportunity Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Human Resources.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...Human+Resources Object : C:\Documents and Settings\Administrator\Favorites\Finances & Business\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Weight loss.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Weight+loss Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Viagra.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=viagra Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Diet pills.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...a&qq=Diet+pills Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Phentermine.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...&qq=Phentermine Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Adipex.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Adipex Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Prozac.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/search/search.php...media&qq=Prozac Object : C:\Documents and Settings\Administrator\Favorites\Health & Insurance\ Possible Browser Hijack attempt Object Recognized! Type : File Data : Xenical.url Category : Misc Comment : Problematic URL discovered: http://searchmiracle.com/ Link to post Share on other sites
hawkeye Posted November 11, 2004 Author Report Share Posted November 11, 2004 trying to get you helpJD Hello JD,Thank you for getting help for me,talk to you soon..have a good day.RegardsHawkeye Link to post Share on other sites
Dragon Posted November 12, 2004 Report Share Posted November 12, 2004 please don't start two seperate topics on the same issue I am merging this topic and the other one that you started together.Thanks. Link to post Share on other sites
hawkeye Posted November 12, 2004 Author Report Share Posted November 12, 2004 please don't start two seperate topics on the same issue I am merging this topic and the other one that you started together.Thanks. Hello Efwis,Forgive me for merging the 2 topics together. Thank you for taking the time to look into the matter. Hope to hear from you real soon.Have a nice day.RegardsHawkeye Link to post Share on other sites
Recommended Posts