A friend of mine is in trouble with his computer. The main problem was that it had become very sluggish. I recommended he installed AdAware and send me the scan for you good people to analyse. But he did'nt get very far that more trouble came his way.
Here is his last message which I translated:
I have followed instructions but unfortunately, once the AdAware scanning process had started, after a few seconds I got this message:
MESSAGE #1
OCSTART 16 EXE NO DLBUGGER has been found.
The JIT debugger inscribed is not available. The start of a JIT debugger with the following command produces an error OX2(2). Verify the computer's parameters. CORDBG.EXE ! a Oxffc
Click on Restart so the process waits while you manually attach a debugger
Click on Cancel to cancel the demand for JIT debug.
After this, the scan has started again but a few seconds later came this second message:
MESSAGE #2
STOP : C000021a Fatal ERROR SYSTEM
Le processus système Window logen Process has terminated in an undue fashion in this state:
0x000000 (0x00000000 0x00000000) The systèm was stopped.
All of this written on this beautiful BLUE SCREEN! Shut down the computer.
Afterwards the computer became very unstable. With lots of ON/OFF finaly managed to reach System restore and bring it back to the last done. Things are better but not great.
I told him not to try anything until I get back with your expert advice. I also asked him what he was using as OS, AV and Firewall... but still waiting for his answer....
I would be very grateful for your assistance...
n.b. might be a long process, since we have to talk by email (when puter works...) or long distance phone calls.
hummm no replies yet?
ok
"I'm not an expert"
but see if he has the latest reference file if not try and update to it ?if trouble what happened?
since it is in the scan i suspect something is in conflict with it so
1. turn off all the stuff in the system tray and be off line !
try it
did it scan? if not
have him try in safe mode ?
info at my site on "safe mode"
did it scan?
if so please post the full log
less cookies and mru's ;-)
This link: http://www.techspot.com/vb/topic14079.html led me to here:
0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED
(Click to consult the online Win XP Resource Kit article, or see Windows 2000 Professional Resource Kit, p. 1561.)
This occurs when Windows switches into kernel mode and a user-mode subsystem, such as Winlogon or the Client Server Runtime Subsystem (CSRSS), is compromised and security can no longer be guaranteed. Because Win XP can't run without Winlogon or CSRSS, this is one of the few situations where the failure of a user-mode service can cause the system to stop responding. This Stop message also can occur when the computer is restarted after a system administrator has modified permissions so that the SYSTEM account no longer has adequate permissions to access system files and folders.
* GoBack Causes a Stop Error C000021a {KB 316503} Win XP
* Internet Explorer Maintenance Policies May Cause an Access Violation in Winlogon {KB 318666} Win XP Pro
http://aumha.org/win5/kbestop.htm
Hi! Mitch
He had d/l Ad-Aware and was supposed to have updated the reference file. I just coached him by phone (he's paying the long distance!!! ) to go into safe mode and not only his Ad-Aware was'nt updated but was'nt installed either. So we did that and checked and pointed etc... and scanned with what we had (ref file #43 I think... eheh!) there and it took well over half an hour but found 740 baddies of all kinds and we killed them all. Got him out of there and now he will UPDATE and go back to safe mode and redo a proper scan and get the log file and send it to me when he does. I also just sent him all instructions for HJT and sent him the zip so he would'nt have to surf to get it since at this time he has NO protection whatsoever! He'll go buy Pc-Cillin at a store, it does have the Firewall included so will be simpler for him. But I,m sure he's got leftovers from his Norton and AVG and a bunch of stuff he eventually all threw away!
So I guess tomorrow, he'll get at it and I'll transmit here when I get both logs.
He still gets the same messages as above after reboot though!!! :(
Well, anough plumbing for today, eheh! did my toilet tank this morning and friend's "fish tank" tonight so that is now time for me to fall in my bed like a tank! :)
Thanks Mitch for the attention and I did use your newbie Oldie to find the procedure for Safe Mode !!! ;-D
Just as I was shutting down, here came this one. Nice go of him, he did it all by himself this time... updated, safe mode and scanned. Even if it is still ugly, with 98 more baddies, it is better than the 740 on the first run! SAY: YES!!! :tease: and make me laugh, cause now I have to go and sleep on it!!! :(
Ad-Aware SE Build 1.06r1
Logfile Created on:23 août, 2005 19:22:00
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R62 17.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):4 total references
AlertSpy(TAC index:1):39 total references
Claria(TAC index:7):22 total references
ClearSearch(TAC index:7):5 total references
Ebates MoneyMaker(TAC index:4):8 total references
Elitum.ElitebarBHO(TAC index:5):3 total references
ErrorGuard(TAC index:10):1 total references
EzuLa(TAC index:6):2 total references
GoIndirect(TAC index:5):1 total references
istbar(TAC index:7):2 total references
Lycos Sidesearch(TAC index:7):2 total references
SahAgent(TAC index:9):3 total references
TPS108(TAC index:9):2 total references
WhenU(TAC index:3):1 total references
VX2(TAC index:10):2 total references
Zango(TAC index:6):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-08-23 19:22:00 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 2005-08-23 23:19:13
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 192
ThreadCreationTime : 2005-08-23 23:19:24
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 2005-08-23 23:19:27
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 2005-08-23 23:19:31
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 272
ThreadCreationTime : 2005-08-23 23:19:31
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 432
ThreadCreationTime : 2005-08-23 23:19:35
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 456
ThreadCreationTime : 2005-08-23 23:19:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 704
ThreadCreationTime : 2005-08-23 23:20:00
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE
#:9 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 752
ThreadCreationTime : 2005-08-23 23:20:06
BasePriority : Normal
#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 868
ThreadCreationTime : 2005-08-23 23:20:26
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{53f066f0-a4c0-4f46-83eb-2dfd03f938cf}
AlertSpy Object Recognized!
Type : Regkey
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-1482476501-1957994488-1202660629-1003\software\local appwizard-generated applications\alertspy
AlertSpy Object Recognized!
Type : Regkey
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : KeepHistoryPathName
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : KeepHistory
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : AutoupdateChecks
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : AutoupdateConfirmation
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : AutoupdateManually
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : KeepDeletedFiles
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : KeepDeletedFilesPathName
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : ScanDrives
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : ScanFolders
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : ScanWindowsRegistry
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : BeepAfterLTO
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : MBAfterLTO
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : Database URL
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : Version URL
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : LastUpdated
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : X
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : Y
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : XS
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : YX
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises\alertspy
Value : Details
AlertSpy Object Recognized!
Type : Regkey
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\app paths\alertspy.exe
AlertSpy Object Recognized!
Type : Regkey
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
Value : UninstallString
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
Value : DisplayIcon
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
Value : DisplayVersion
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
Value : URLInfoAbout
AlertSpy Object Recognized!
Type : RegValue
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\alertspy
Value : Publisher
AlertSpy Object Recognized!
Type : Regkey
Data :
TAC Rating : 1
Category : Misc
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\mandel enterprises
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-1482476501-1957994488-1202660629-1003\software\lq
Value : AC
istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "disp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion
Value : disp
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 33
Objects found so far: 33
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 33
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 33
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
AlertSpy Object Recognized!
Type : File
Data : A0341423.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP885\
FileVersion : 1.0.8.0
ProductVersion : 1.0.8.0
ProductName : AlertSpy
CompanyName : Mandel Enterprise
FileDescription : AlertSpy
InternalName : AlertSpy.exe
LegalCopyright : (c) 2005 Mandel Enterprise. All rights reserved.
OriginalFilename : UI.exe
AlertSpy Object Recognized!
Type : File
Data : A0341424.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP885\
AlertSpy Object Recognized!
Type : File
Data : A0341708.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1.0.8.0
ProductVersion : 1.0.8.0
ProductName : AlertSpy
CompanyName : Mandel Enterprise
FileDescription : AlertSpy
InternalName : AlertSpy.exe
LegalCopyright : (c) 2005 Mandel Enterprise. All rights reserved.
OriginalFilename : UI.exe
AlertSpy Object Recognized!
Type : File
Data : A0341709.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
AlertSpy Object Recognized!
Type : File
Data : A0341952.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
AlertSpy Object Recognized!
Type : File
Data : A0341953.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1.0.8.0
ProductVersion : 1.0.8.0
ProductName : AlertSpy
CompanyName : Mandel Enterprise
FileDescription : AlertSpy
InternalName : AlertSpy.exe
LegalCopyright : (c) 2005 Mandel Enterprise. All rights reserved.
OriginalFilename : UI.exe
Claria Object Recognized!
Type : File
Data : A0342007.exe
TAC Rating : 7
Category : Data Miner
Comment : PrecisionTime
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 2.0.0.2
ProductVersion : 2.0.0.2
ProductName : PrecisionTime
CompanyName : The Gator Corporation
FileDescription : Precision Time Application
InternalName : PrecisionTime.exe
LegalCopyright : Copyright © 2002 The Gator Corporation
OriginalFilename : PrecisionTime.exe
Claria Object Recognized!
Type : File
Data : A0342012.exe
TAC Rating : 7
Category : Data Miner
Comment : DateManager
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 2.0.0.1
ProductVersion : 2.0.0.1
ProductName : Date Manager
CompanyName : The Gator Corporation
FileDescription : Date Manager Application
InternalName : DateManager.exe
LegalCopyright : Copyright © 2002 The Gator Corporation
OriginalFilename : DateManager.exe
Claria Object Recognized!
Type : File
Data : A0342013.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGGCEngine Dynamic Link Library
InternalName : EGGCEngine dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : EGGCEngine dll
Claria Object Recognized!
Type : File
Data : A0342014.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : egIEClient Dynamic Link Library
InternalName : egIEClient.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : egIEClient.dll
Claria Object Recognized!
Type : File
Data : A0342015.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGIEProcess Dynamic Link Library
InternalName : EGIEProcess dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : EGIEProcess dll
Claria Object Recognized!
Type : File
Data : A0342016.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : EGNSEngine Dynamic Link Library
InternalName : EGNSEngine dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : EGNSEngine dll
Claria Object Recognized!
Type : File
Data : A0342017.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GatorRes Dynamic Link Library
InternalName : GatorRes DLL
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GatorRes DLL
Claria Object Recognized!
Type : File
Data : A0342019.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : Gator Client Application
InternalName : Gator.exe
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : Gator.exe
Claria Object Recognized!
Type : File
Data : A0342020.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GAIN Uninstaller applet
InternalName : GUninstaller.exe
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GUninstaller.exe
Claria Object Recognized!
Type : File
Data : A0342021.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GAIN Application
InternalName : GMT.exe
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GMT.exe
Claria Object Recognized!
Type : File
Data : A0342116.exe
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : CMESys.exe
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : CMESys.exe
Claria Object Recognized!
Type : File
Data : A0342117.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GAppMgr.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GAppMgr.dll
Claria Object Recognized!
Type : File
Data : A0342118.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GController.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GController.dll
Claria Object Recognized!
Type : File
Data : A0342119.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GDlwdEng.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GDlwdEng.dll
Claria Object Recognized!
Type : File
Data : A0342120.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GIocl.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GIocl.dll
Claria Object Recognized!
Type : File
Data : A0342121.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GIoclClient.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GIoclClient.dll
Claria Object Recognized!
Type : File
Data : A0342122.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GMTProxy.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GMTProxy.dll
Claria Object Recognized!
Type : File
Data : A0342123.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GObjs.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GObjs.dll
Claria Object Recognized!
Type : File
Data : A0342124.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GStore.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GStore.dll
Claria Object Recognized!
Type : File
Data : A0342125.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GStoreServer.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GStoreServer.dll
Claria Object Recognized!
Type : File
Data : A0342126.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : GTools.dll
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : GTools.dll
Claria Object Recognized!
Type : File
Data : A0342127.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 7.0.3.5
ProductVersion : 7.0.3.5
ProductName : CME
CompanyName : GAIN Publishing
FileDescription : CME II Client Application
InternalName : CMEIIAPI.DLL
LegalCopyright : Copyright © 1999-2005 GAIN Publishing
OriginalFilename : CMEIIAPI.DLL
ClearSearch Object Recognized!
Type : File
Data : A0342135.DLL
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
ProductName : CSss
CompanyName : Clear Search
FileDescription : CSss
InternalName : CSss
LegalCopyright : Copyright © 2003, 2004
OriginalFilename : CSss.dll
ClearSearch Object Recognized!
Type : File
Data : A0342136.DLL
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
ProductName : CSbi
CompanyName : Clear Search
FileDescription : CSbi
InternalName : CSbi
LegalCopyright : Copyright © 2003, 2004
OriginalFilename : CSbi.dll
Elitum.ElitebarBHO Object Recognized!
Type : File
Data &nb
you are a little short on the log but i think i know where al the adware and spyware went. he has it all !
sorry but now time for the big kids to work on that list
the Phantom said as he put his hands in his pockets and walked away
Elitum.ElitebarBHO Object Recognized!
Type : File
Data : A0342139.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Elite SideBar
FileDescription : Elite SideBar
InternalName : Elite SideBar
LegalCopyright : Copyright 2004
OriginalFilename : EliteSideBar.DLL
Elitum.ElitebarBHO Object Recognized!
Type : File
Data : A0342140.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Elite SideBar
FileDescription : Elite SideBar
InternalName : Elite SideBar
LegalCopyright : Copyright 2004
OriginalFilename : EliteSideBar.DLL
Elitum.ElitebarBHO Object Recognized!
Type : File
Data : A0342141.dll
TAC Rating : 5
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 60
ProductVersion : 1, 0, 0, 60
ProductName : EliteToolBar Dynamic Link Library
FileDescription : EliteToolBar DLL
InternalName : EliteToolBar
LegalCopyright : Copyright (C) 2004
OriginalFilename : EliteToolBar.DLL
WhenU Object Recognized!
Type : File
Data : A0342142.exe
TAC Rating : 3
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 5, 0, 2
ProductVersion : 1, 5, 0, 2
ProductName : WeatherCast Uninstall
CompanyName : WhenU.com, Inc.
FileDescription : WeatherCast Uninstall
InternalName : Uninst
LegalCopyright : Copyright 2001
OriginalFilename : Uninst.exe
180Solutions Object Recognized!
Type : File
Data : A0342145.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL
Zango Object Recognized!
Type : File
Data : A0342146.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 5, 11, 0, 3
ProductVersion : 5, 11, 0, 3
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2004, 180solutions Inc.
180Solutions Object Recognized!
Type : File
Data : A0342147.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
180Solutions Object Recognized!
Type : File
Data : A0342148.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
GoIndirect Object Recognized!
Type : File
Data : A0342149.exe
TAC Rating : 5
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
ClearSearch Object Recognized!
Type : File
Data : A0342150.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL
ClearSearch Object Recognized!
Type : File
Data : A0342151.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL
Lycos Sidesearch Object Recognized!
Type : File
Data : A0342152.dll
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL
SahAgent Object Recognized!
Type : File
Data : A0342153.exe
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 2, 0, 0, 2
ProductVersion : 2, 0, 0, 2
ProductName : Popup Application
FileDescription : Popup MFC Application
InternalName : Popup
LegalCopyright : Copyright (C) 2004
OriginalFilename : Popup.EXE
Lycos Sidesearch Object Recognized!
Type : File
Data : A0342154.exe
TAC Rating : 7
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
SahAgent Object Recognized!
Type : File
Data : A0342155.dll
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL
EzuLa Object Recognized!
Type : File
Data : A0342156.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
LegalCopyright : Copyright (C) 2002
EzuLa Object Recognized!
Type : File
Data : A0342157.exe
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 2, 0, 69, 13
ProductVersion : 1, 0, 0, 1
ProductName : eZstub Module
CompanyName : MindSet3
FileDescription : eZstub Module
InternalName : eZstub
LegalCopyright : Copyright 2000
OriginalFilename : eZstub.EXE
TPS108 Object Recognized!
Type : File
Data : A0342158.DLL
TAC Rating : 9
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
FileVersion : 0, 3, 1, 9
ProductVersion : 0, 3, 1, 9
ProductName : TPS108
CompanyName : TPS108
FileDescription : TPS108 Module
InternalName : TPS108
LegalCopyright : Copyright 2001, 2002
OriginalFilename : TPS108.DLL
Comments : http://www.tps108.org
TPS108 Object Recognized!
Type : File
Data : A0342159.exe
TAC Rating : 9
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
180Solutions Object Recognized!
Type : File
Data : A0342160.dll
TAC Rating : 6
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
ErrorGuard Object Recognized!
Type : File
Data : A0323330.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP864\
AlertSpy Object Recognized!
Type : File
Data : A0323331.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP864\
AlertSpy Object Recognized!
Type : File
Data : A0339806.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
FileVersion : 1.0.8.0
ProductVersion : 1.0.8.0
ProductName : AlertSpy
CompanyName : Mandel Enterprise
FileDescription : AlertSpy
InternalName : AlertSpy.exe
LegalCopyright : (c) 2005 Mandel Enterprise. All rights reserved.
OriginalFilename : UI.exe
AlertSpy Object Recognized!
Type : File
Data : A0339807.exe
TAC Rating : 1
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 87
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 87
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 87
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\media
Value : data
Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT
istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager
ClearSearch Object Recognized!
Type : File
Data : atl71.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\
FileVersion : 7.10.3077.0
ProductVersion : 7.10.3077.0
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : ATL Module for Windows (Unicode)
InternalName : ATL71.DLL
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ATL71.DLL
SahAgent Object Recognized!
Type : File
Data : vp.dat
TAC Rating : 9
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 98
19:39:47 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:46.683
Objects scanned:175096
Objects identified:98
Objects ignored:0
New critical objects:98
CORRINE... I just saw your message there in the midst of the rest... 8) I will read it again and maybe (????) understand it after a good night's sleep.... :titanic:
Goatie -- as I was about to post, I see you replied about the error messages. They are merely links, as I don't have the answers. Following are the instructions that I hope will be clear.
I think he will need HJT, as that imgreg.exe file isn't detected by AAW. However, let's see what we can do to get things started. Don't worry about all the extra objects in System Restore. We do not want to clear SR until after the computer is clean.
Goatie, I saved your original translations but you will need to translate a couple more parts here for your friend. There are also a few more files that will be needed. I hope you get a good night's sleep as you'll be busy tomorrow!
O^E's Host File Reader from Mitch's Site: http://members.accessbee.com/mitch/HostsFileReader.zip
CCleaner from http://www.ccleaner.com
VX2 Cleaner from http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
1)
Hosts fileHosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
If he is using a host file program, just move on to the next part. However, if not, could you download and email him the "Host File Viewer" by Option^Explicit. "It is a 65K program which will allow you to find/view/open/read/edit/restore to default settings your HOST file. Instructions are on the display screen of the program. You will want to restore to the default settings." (Copied from Mitch ages ago!!)
http://members.accessbee.com/mitch/HostsFileReader.zip (http://members.accessbee.com/mitch/HostsFileReader.zip)
Just unzip the file and launch the HostFileReader.exe. Select "Reset Default"
2) CCleaner - this may be an easier and more thorough option that the instructions that will follow for cleaning temp files and the like.
A. It is suggested that you clean the following directory
contents (but
not the directory folder). Please disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and
close all open browsers.
Temp\
2. C:\Documents and Settings\<Your Profile>\Local Settings\
Temporary Internet Files\ <=This will delete all your cached internet content including cookies.
3. C:\Documents and Settings\<Your Profile>\Local Settings\
Temp\
4. C:\Documents and Settings\<Any other users Profile>\Local Settings\
Temporary Internet Files\
5. C:\Documents and Settings\<Any other users Profile>\Local Settings\
Temp\
6. Empty your
"Recycle Bin".[/list]
You may wish to use CCleaner for the above process. Download CCleaner from http://www.ccleaner.com/ and run CCleaner following these instructions:
1. Before first use, check under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer" section.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.
In the Applications Tab:
Clean all in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
4. Then click the "Run Cleaner" button and it will scan and clean your system.
Click exit. Shutdown/restart the computer.
3) Install the new VX2 Cleaner Plugin but don't run it yet -- Note, however, the instructions at http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
4) Now the saved instructions + VX2 Cleaner inserted as #6 in instructions & in Goatie's translation.
If you would like to clean your machine, please launch Ad-Aware SE and check for any Definition File updates. Click on the gear to access the Configuration Menu. Click on Tweak > Cleaning Engine >
UNcheck "Always try to unload modules before deletion". Then, please follow the steps listed below.
A. It is suggested that you clean the following directory
contents (but
not the directory folder). Please disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and
close all open browsers.
Temp\
2. C:\Documents and Settings\<Your Profile>\Local Settings\
Temporary Internet Files\ <=This will delete all your cached internet content including cookies.
3. C:\Documents and Settings\<Your Profile>\Local Settings\
Temp\
4. C:\Documents and Settings\<Any other users Profile>\Local Settings\
Temporary Internet Files\
5. C:\Documents and Settings\<Any other users Profile>\Local Settings\
Temp\
6. Empty your
"Recycle Bin".
[/LIST]B. Please shutdown/restart the computer. Do not launch any programs or connect to the internet at this time.
1. Launch Ad-Aware SE and run a Full Scan.
2. When the scan has completed, select Next.
3. In the Scanning Results window, select the "Scan Summary" tab.
4. Check the box next to each "target family" you wish to remove.
5. Click next, Click OK.
6. Click on Plugins and run the VX2 Cleaner, following the instructions above.
7. Shutdown/restart and run another full scan, posting the results as a reply.
If you have any questions, please do not hesitate to ask. Thank you.
Quote from: GoatieSi vous voulez nettoyer votre système, s'il vous plaît lancez votre Ad-Aware SE et mettre à jour les signatures si nécessaire. Cliquez sur la roue d'engrenage pour accéder au menu de configuration. Cliquez sur MISE AU POINT (tweak)--->Moteur de nettoyage---->et désactivez l'item: toujours essayer de décharger les modules avant la suppression. Ensuite, s'il vous plait, suivre les étapes énumérées ci-après.
A) Il est suggéré que vous nettoyiez les contenus des répertoires suivants (mais PAS le dossier du répertoire). S'il vous plait, débranchez-vous d'Internet (pour les utilisateurs de broadband/câble, il est recommandé de débrancher le fil du câble) et fermez tous navigateurs.
1. C:\Windows\Temp\
2. C:\Documents and Settings\<votre profil>\Local Settings\Temporary Internet Files\ <=ceci va supprimer tout le contenu de la cache internet incluant les cookies.
3. C:\Documents and Settings\<Votre Profil>\Local Settings\Temp\
4. C:\Documents and Settings\<Tout autre Profil d'utilisateur>\Local Settings\Temporary Internet Files\
5. C:\Documents and Settings\<Tout autre Profil d'utilisateur>\Local Settings\Temp\
6. Videz votre "Poubelle".
B) S'il vous plaît, fermez/redémarez l'ordinateur. Ne lancez aucun programme, ni ne vous branchez à Internet pour le moment.
1) Lancez Ad-Aware SE et faites une analyse complète du système.
2) Quand l'analyse est complétée, choisissez Suivant.
3) Dans la fenêtre des résultats de l'analyse, choisissez l'onglet du Sommaire de l'Analyse.
4) Pointez le casier à côté de chaque famille-cible que vous désirez supprimer.
5) Cliquez Suivant --->cliquez OK
6) Click on Plugins and run the VX2 Cleaner, following the instructions above.
7) Fermez l'ordi, puis redémarrez. Et reprenez l'analyse complète puis postez en le résultat ici en réponse.
Si vous avez quelqu'autres questions, s'il-vous-plaît n'hésitez pas à demander. Merci.
It looks that Lavasoft has done it once more :muahaha:
QuoteClearSearch Object Recognized!
Type : File
Data : atl71.dll
TAC Rating : 7
Category : Data Miner
Comment :
Object : C:\WINDOWS\System32\
FileVersion : 7.10.3077.0
ProductVersion : 7.10.3077.0
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : ATL Module for Windows (Unicode)
InternalName : ATL71.DLL
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ATL71.DLL
That file is safe and should not be deleted
Cheers
Mannen
CORRINE... thank you for all of this... I will get the instructions out to him as soon as I can (have my 2 grand-kids for the next 3 days, so will be a little slow) but will get them to him in sequences as I get one done so he also has work to do...
Unfortunately his Outlook won't let my zipped files get through to him ! :x Wish it did that on bad files and not on good ones!!! So have to have him go fetch and hope for the best. Sometimes we do have to live with faith only! :(
He now has all instructions for HJT and that should be the next one to show up... I will post it in HJT with a link to here when it comes...
MANNEN, thank you so much for the info concerning that .dll . Now I just hope he had not cleaned the whole thing after sending the log... (but I would bet he did!!! ) :( I'm also waiting for his answer on this one.
Well, I guess I have to live on Faith and Hope today... and keep up the spirit! so... eheh! :tease:
Goatie, what Mannen pointed out is likely the source of the fatal error he is receiving since the links I found relate to Microsoft® Visual Studio .NET. Your friend need to check the quarantine log and see if that object has already been removed & then restore it from quarantine.
Instructions:
On the opening Ad-Aware screen, click "Open quarantine list", and you will see a list of all the quarantines that have been made. Double or right-clicking on the individual quarantine files will allow you to view the objects contained in that quarantine. You can also try and locate the relevant one by reference to the Creation date. You can reteive the removed objects by highlighting the relevant quarantine, and clicking "Restore".
Please note that this will restore all the objects contained in the quarantine, so that if it contains objects you do not wish to restore, it will be necessary to run a further AAW scan, move the objects you want to keep into your ignore list, and then remove the balance again.
@Mannen -- nice catch. I've posted at BBR again since that is the site SteveJ and Mike seem to frequent the most. http://www.broadbandreports.com/forum/remark,14207322
Confirmed f/p to be fixed in the next update -- not SE1R63 24.08.2005 released today.
Well, unfortunately he has found the quarantined objects from the first 740 objects, but not that last one, so that file is lost!!! :(
I did'nt get his HJT log yet, but here is a fresh Ad-aware one with update to #63:
Now can he get rid of all of these??? Better ask before we're sorry again. This time he kept all!
One nice thing is that he seems to be able to scan without going into safe mode now...
Ad-Aware SE Build 1.06r1
Logfile Created on:24 août, 2005 10:26:39
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
123Search(TAC index:2):41 total references
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):39 total references
istbar(TAC index:7):2 total references
Other(TAC index:5):1 total references
Virtumonde(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-08-24 10:26:39 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 448
ThreadCreationTime : 2005-08-24 00:29:26
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 2005-08-24 00:29:31
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 2005-08-24 00:29:36
BasePriority : High
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 2005-08-24 00:29:37
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 2005-08-24 00:29:37
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 768
ThreadCreationTime : 2005-08-24 00:29:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 820
ThreadCreationTime : 2005-08-24 00:29:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 916
ThreadCreationTime : 2005-08-24 00:29:42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 2005-08-24 00:29:42
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1120
ThreadCreationTime : 2005-08-24 00:29:44
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:11 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1244
ThreadCreationTime : 2005-08-24 00:29:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\WINDOWS\System32\alg.exe"Process terminated successfully
#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1332
ThreadCreationTime : 2005-08-24 00:29:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:13 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3108
ThreadCreationTime : 2005-08-24 00:38:30
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Exécuter une DLL en tant qu'application
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : RUNDLL.EXE
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:14 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 3156
ThreadCreationTime : 2005-08-24 00:38:34
BasePriority : Normal
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:15 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 3216
ThreadCreationTime : 2005-08-24 00:38:37
BasePriority : Normal
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright (c) Hewlett-Packard Company 1999-2001
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"Process terminated successfully
#:16 [lvcoms.exe]
FilePath : C:\Program Files\Fichiers communs\Logitech\QCDriver3\
ProcessID : 3232
ThreadCreationTime : 2005-08-24 00:38:40
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LVComS.exe
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\Program Files\Fichiers communs\Logitech\QCDriver3\LVCOMS.EXE"Process terminated successfully
#:17 [spool.exe]
FilePath : C:\Program Files\spool\
ProcessID : 3240
ThreadCreationTime : 2005-08-24 00:38:40
BasePriority : Normal
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\Program Files\spool\spool.exe"Process terminated successfully
#:18 [ikeymain.exe]
FilePath : C:\PROGRA~1\Keyboard\
ProcessID : 3264
ThreadCreationTime : 2005-08-24 00:38:43
BasePriority : Normal
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\PROGRA~1\Keyboard\Ikeymain.exe"Process terminated successfully
#:19 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3272
ThreadCreationTime : 2005-08-24 00:38:43
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Mises à jour automatiques
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : wuauclt.exe
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\WINDOWS\System32\wuauclt.exe"Process terminated successfully
#:20 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 3288
ThreadCreationTime : 2005-08-24 00:38:44
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:21 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3324
ThreadCreationTime : 2005-08-24 00:38:45
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
"C:\WINDOWS\System32\ctfmon.exe"Process terminated successfully
#:22 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 2028
ThreadCreationTime : 2005-08-24 00:40:17
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : nt_hide63.dll
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\nt_hide63.dll)
#:23 [pokapoka63.exe]
FilePath : C:\WINDOWS\etb\
ProcessID : 1500
ThreadCreationTime : 2005-08-24 00:40:17
BasePriority : Normal
Elitum.ElitebarBHO Object Recognized!
Type : Process
Data : pokapoka63.exe
TAC Rating : 5
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\WINDOWS\etb\
Warning! Elitum.ElitebarBHO Object found in memory(C:\WINDOWS\etb\pokapoka63.exe)
"C:\WINDOWS\etb\pokapoka63.exe"Process terminated successfully
"C:\WINDOWS\etb\pokapoka63.exe"Process terminated successfully
#:24 [netscp.exe]
FilePath : C:\PROGRA~1\Netscape\Netscape\
ProcessID : 2728
ThreadCreationTime : 2005-08-24 13:34:37
BasePriority : Normal
#:25 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2464
ThreadCreationTime : 2005-08-24 14:25:10
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 14
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-1482476501-1957994488-1202660629-1003\software\lq
Value : AC
istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "disp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion
Value : disp
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 16
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
123Search Object Recognized!
Type : RegValue
Data :
TAC Rating : 0
Category : Data Miner
Comment : "System service63"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : System service63
123Search Object Recognized!
Type : File
Data : pokapoka63.exe
TAC Rating : 0
Category : Data Miner
Comment :
Object : c:\windows\etb\
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 18
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
123Search Object Recognized!
Type : File
Data : A0330648.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP878\
123Search Object Recognized!
Type : File
Data : A0330671.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP879\
123Search Object Recognized!
Type : File
Data : A0331671.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP879\
123Search Object Recognized!
Type : File
Data : A0332671.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP879\
123Search Object Recognized!
Type : File
Data : A0341317.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP885\
123Search Object Recognized!
Type : File
Data : A0341341.exe
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP885\
123Search Object Recognized!
Type : File
Data : A0341577.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP885\
123Search Object Recognized!
Type : File
Data : A0341932.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0341946.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0341963.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0342178.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0342190.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0342218.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0342228.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0342233.exe
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP886\
123Search Object Recognized!
Type : File
Data : A0332693.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP880\
123Search Object Recognized!
Type : File
Data : A0332734.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP881\
123Search Object Recognized!
Type : File
Data : A0333735.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP881\
123Search Object Recognized!
Type : File
Data : A0334735.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP881\
123Search Object Recognized!
Type : File
Data : A0334757.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP881\
123Search Object Recognized!
Type : File
Data : A0334771.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0335771.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0336771.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0336791.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0336801.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0337801.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0338801.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0339801.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0339969.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0339979.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0339987.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP882\
123Search Object Recognized!
Type : File
Data : A0340214.exe
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0340250.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0340273.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0341273.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0341285.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0341297.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP883\
123Search Object Recognized!
Type : File
Data : A0329636.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP877\
123Search Object Recognized!
Type : File
Data : A0329648.dll
TAC Rating : 0
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8066EEC7-679B-4832-AECC-938103AA8495}\RP877\
Virtumonde Object Recognized!
Type : File
Data : WindowsUpd4.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\
FileVersion : 0, 1, 13, 0
ProductVersion : 0, 1, 13, 0
ProductName : WindowsUpd
FileDescription : WindowsUpd
InternalName : WindowsUpd Component
LegalCopyright : Copyright (C) 2003
OriginalFilename : WindowsUpd.exe
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 58
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 58
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 58
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment &nb
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.1
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.2
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.3
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.4
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.5
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : FU3.6
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : LU3.7
Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\WINDOWS\etb
Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Casino & Carrers
Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Finances & Business
Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Health & Insurance
Elitum.ElitebarBHO Object Recognized!
Type : Folder
TAC Rating : 5
Category : Data Miner
Comment : Elitum.ElitebarBHO
Object : C:\Documents and Settings\Claude\Favoris\Homelife & Travel
istbar Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager
Virtumonde Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : .key
Virtumonde Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : SysUpd
Other Object Recognized!
Type : File
Data : POKAPOKA63.EXE-054F8AE4.pf
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\prefetch\
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 29
Objects found so far: 87
10:44:13 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:34.327
Objects scanned:190601
Objects identified:75
Objects ignored:0
New critical objects:75
she finally got the HJT log !!!!
it is posted here
http://www.landzdown.com/index.php/topic,1374.0/topicseen.html (http://www.landzdown.com/index.php/topic,1374.0/topicseen.html)
Considering how deeply buried in the system Elitum is, it would be much safer to use Miekiemoes fix. Please download http://users.telenet.be/bluepatchy/miekiem...tools/LQfix.exe (http://users.telenet.be/bluepatchy/miekiemoes/tools/LQfix.exe) (new version, safe mode not needed) and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.
Note: The download of the LQfix batch file is so quick (a 1K ZIP file), that you may only see a quick flash which could lead to thinking that nothing got downloaded. If in doubt, check the target 'save to' location for your downloaded file.
After the restart, please do a WebUpdate and run Ad-Aware SE again, removing any critical objects found.
Do yet another shutdown/restart, a new scan and post the results as a reply.
Thanks!
Let's hold off on the HJT log until we see the results of running Miekiemoes fix. That would have been needed regardless as HJT wouldn't be able to clean it either.
If you want, you can post a fresh HJT log AFTER running Miekiemoes fix and cleaning with Ad-Aware.
Thanks!
Thanks a bunch CORRINE...
Message translated and sent to him this very minute... :)
( I hope the prompts generated within the fix won't be too complicated to understand or lead him to push wrong buttons again... eheh!)
HOPE! FAITH! again... (it'll be nice to go back to water and green grass for food some day!!!) :tease:
After Miekiemoes fix......... :Yahoo:
Ad-Aware SE Build 1.06r1
Logfile Created on:25 août, 2005 17:17:05
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
None
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-08-25 17:17:05 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 140
ThreadCreationTime : 2005-08-25 21:15:13
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 192
ThreadCreationTime : 2005-08-25 21:15:27
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 216
ThreadCreationTime : 2005-08-25 21:15:30
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 260
ThreadCreationTime : 2005-08-25 21:15:34
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 272
ThreadCreationTime : 2005-08-25 21:15:34
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 432
ThreadCreationTime : 2005-08-25 21:15:38
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 456
ThreadCreationTime : 2005-08-25 21:15:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 700
ThreadCreationTime : 2005-08-25 21:15:54
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE
#:9 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 756
ThreadCreationTime : 2005-08-25 21:16:00
BasePriority : Normal
#:10 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 868
ThreadCreationTime : 2005-08-25 21:16:19
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 0
17:34:42 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:36.750
Objects scanned:176607
Objects identified:0
Objects ignored:0
New critical objects:0
That AAW scan was from safemode but that #9, I am positive, is most nasty and there's lots of junk showing in the HJT log. Please tell your friend to stay offline until getting that firewall & A/V software installed and not to click on anything! I do believe you need to give him a most serious lecture.
I didn't see it but could have missed it. Does he have a SpyBot or a hosts file program running on his machine? If not, please be sure to tell the HJT Analyst. Based on normal mode Ad-Aware scans, after completing the cleanup, he will also need to clear system restore and set a new restore point. Otherwise, he takes the chance of reinfection if he selects a bad restore point.
Thanks Corrine, I translated your message for him with lots of BOLD and underlined and I think he got it. He almost thought he was in the clear by now because his computer has now taken back a lot of speed and he does'nt get a bunch of pop-ups offering false AV's that he was buying and paying for. Yes, he did PAY to get infected (bought AlertSpy from a pop-up). He won't be so naive from now on.... (I hope) :moreevil:
Now here is his last Ad Aware scan done in normal mode:
Ad-Aware SE Build 1.06r1
Logfile Created on:25 août, 2005 20:49:52
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R63 24.08.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
istbar(TAC index:7):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-08-25 20:49:52 - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 448
ThreadCreationTime : 2005-08-25 21:44:26
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 508
ThreadCreationTime : 2005-08-25 21:44:31
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 536
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 580
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Applications Services et Contrôleur
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 592
ThreadCreationTime : 2005-08-25 21:44:36
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 780
ThreadCreationTime : 2005-08-25 21:44:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 832
ThreadCreationTime : 2005-08-25 21:44:39
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 928
ThreadCreationTime : 2005-08-25 21:44:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 940
ThreadCreationTime : 2005-08-25 21:44:41
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1128
ThreadCreationTime : 2005-08-25 21:44:43
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:11 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1256
ThreadCreationTime : 2005-08-25 21:44:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1340
ThreadCreationTime : 2005-08-25 21:44:51
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 232
ThreadCreationTime : 2005-08-25 21:45:28
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorateur Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : EXPLORER.EXE
#:14 [imgreg.exe]
FilePath : C:\WINDOWS\system32\Setup\
ProcessID : 424
ThreadCreationTime : 2005-08-25 21:45:33
BasePriority : Normal
#:15 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 484
ThreadCreationTime : 2005-08-25 21:45:36
BasePriority : Normal
FileVersion : 2,80,0,0
ProductVersion : 2,80,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright (c) Hewlett-Packard Company 1999-2001
#:16 [lvcoms.exe]
FilePath : C:\Program Files\Fichiers communs\Logitech\QCDriver3\
ProcessID : 496
ThreadCreationTime : 2005-08-25 21:45:37
BasePriority : Normal
FileVersion : 7.3.0.1113
ProductVersion : 7.3.0.1113
ProductName : Logitech ImageStudio
CompanyName : Logitech Inc.
FileDescription : LVCom Server
InternalName : LVComS.exe
LegalCopyright : (c) 1996-2002 Logitech. All rights reserved.
OriginalFilename : LVComS.exe
#:17 [spool.exe]
FilePath : C:\Program Files\spool\
ProcessID : 500
ThreadCreationTime : 2005-08-25 21:45:37
BasePriority : Normal
#:18 [ikeymain.exe]
FilePath : C:\PROGRA~1\Keyboard\
ProcessID : 512
ThreadCreationTime : 2005-08-25 21:45:39
BasePriority : Normal
#:19 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 596
ThreadCreationTime : 2005-08-25 21:45:39
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE
#:20 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 716
ThreadCreationTime : 2005-08-25 21:45:40
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:21 [gestionnaire antidote.exe]
FilePath : C:\PROGRA~1\Druide\Antidote\Antidote\
ProcessID : 1940
ThreadCreationTime : 2005-08-25 21:46:35
BasePriority : Normal
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 5, 0, 0
ProductName : Gestionnaire Antidote
CompanyName : Druide informatique inc.
FileDescription : Gestionnaire Antidote
InternalName : Gestionnaire Antidote
LegalCopyright : © 1993-2002, Druide informatique inc.
OriginalFilename : Gestionnaire Antidote.exe
#:22 [skype.exe]
FilePath : C:\Program Files\Skype\Phone\
ProcessID : 2032
ThreadCreationTime : 2005-08-25 21:46:39
BasePriority : Normal
#:23 [olfsnt40.exe]
FilePath : C:\Program Files\Microsoft Office\Office\1036\
ProcessID : 288
ThreadCreationTime : 2005-08-25 21:46:47
BasePriority : Normal
FileVersion : 9.0.98.0105
ProductVersion : 9.0.98.0105
ProductName : Symantec Fax Starter Edition Printer Driver
CompanyName : Microsoft Corporation
FileDescription : Symantec Fax Starter Edition Port Launcher
InternalName : OLFSNT40.DLL
LegalCopyright : Copyright (C) Symantec Corp. 1990-1998
OriginalFilename : OLFSNT40.DLL
#:24 [magickey.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Keyboard\
ProcessID : 952
ThreadCreationTime : 2005-08-25 21:46:58
BasePriority : Normal
#:25 [mouseap.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Mouse\
ProcessID : 864
ThreadCreationTime : 2005-08-25 21:46:59
BasePriority : Normal
#:26 [osd.exe]
FilePath : C:\Program Files\Wireless Device\Wireless Keyboard\
ProcessID : 1324
ThreadCreationTime : 2005-08-25 21:47:02
BasePriority : Normal
FileVersion : 2, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : WAYTECH OSD
CompanyName : WayTech Development, Inc.
FileDescription : OSD
InternalName : OSD
LegalCopyright : (C)1998-2000 WayTech Development, Inc.
OriginalFilename : OSD.exe
#:27 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1788
ThreadCreationTime : 2005-08-25 21:47:21
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Système d'exploitation Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Mises à jour automatiques
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Tous droits réservés.
OriginalFilename : wuauclt.exe
#:28 [netscp.exe]
FilePath : C:\PROGRA~1\Netscape\Netscape\
ProcessID : 2540
ThreadCreationTime : 2005-08-25 23:06:04
BasePriority : Normal
#:29 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3860
ThreadCreationTime : 2005-08-26 00:49:09
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
istbar Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment : "disp"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion
Value : disp
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1078 entries scanned.
New critical objects:0
Objects found so far: 1
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
21:06:15 Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:16:22.613
Objects scanned:192008
Objects identified:1
Objects ignored:0
New critical objects:1
Sorry Corrine... I rushed to HJT to tell them he does'nt have Spybot or Host File or if he does... he does'nt know he has it. Here is what we found in his add/remove programs:
A d Aware De Personal 3,20
Adobe Photoshop 6.0 92,16
Autocad 2005 341.
Autocad 2005 expresse tools 5,53
Autodesk DWF Viewer
C. Dilla Licence Management System
Correctif Window XP kb 823559
Correctif Window XP kb 828741
Correctif Window XP kb 833987
Correctif Window XP kb 835732
Correctif Window XP kb 840987
Correctif Window XP kb 841356
Correctif Window XP kb 841533
Correctif Window XP kb 842773
Correctif Window XP kb 873376
Correctif Window XP kb 885523
Correctif Window XP kb 887822
Date Manager ,76
Div x4 Window codex 4,0 alpha 50
hp photosmart serie printer (supprimer uniquement) 13,74
Keywork 6,12
Java Wedstart 1,84
Logiteck Desktop Messenger 1,39
Logiteck M VideoCompagnion 1,39
Memory Blaster 2,3
Microsoph.net Framework 1,1 37,4
Microteck Scan Wizard 1,11
Nero Burning Rom
Netscape 7,02
Package correctif Windows XP
Précision time
Quick time 2,29
Shokwave
Real Player 8,68Spool ,08
Suppress plus 3,2
Top Five Search.com Search Assistant
Trace Blaster 3.02
View Point Media Player 2,62
Weather Cash 0,14
Windows XP Application Q 309521
Windows XP Hotfix spi 329048
Windows XP Hotfix spi 329390
Windows XP Hotfix spi 329441
Windows XP Hotfix spi 329834
Windows XP spi Q 329196
Windows XP 810577
Windows XP 817606
Wireless Keyboord 1,43
He is willing to remove any programs as long as he can keep his Photoshop and AutoCad... He had already removed a whole bunch before typing this list.
Based on the little I know about HJT, I think it is safest to have one of the HJT analysts take over with that log there. I believe there are still a couple of nasties on that PC that he will have to deal with. :(