Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 21 Posts

·
Registered
Joined
·
46 Posts
Discussion Starter · #1 ·
Folks,

Whether you believe that my son was the one surfing inappropriate sites or not - adult websites are now contained in my favorites on Internet Explorer.

I deleted them but they come back everytime I log on -

Does anyone know what is going on here and how I can clean things up with out reimaging my system.

Sincerely - jg1234
 

·
Registered
Joined
·
2,438 Posts
Depending upon your security settings, the junk could get on your computer intentionally or unintentionally. Sometimes it is as simple as clicking on a pop-up without actually reading it.

Something like Ad-Aware can clean your computer of unwanted stuff ...

Go here for the free Ad-Aware 6 Personal Build 181: http://www.lavasoft.de/support/download/

Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

Then see that you have these options checked:
Under Ad-aware 6 Settings, Scanning, Memory & Registry:
"Scan My Hosts File" ...

Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
"Let Windows remove files in use after reboot."

Next ...

Run Ad-Aware 6.
Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
Make a Quarantine only if you do not have the Auto-Quarantine option ON.
Then choose "Next" to remove the chosen objects.
Finally ... Reboot

Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

Then, please do as stillearning suggests, and post your HJT logfile ... if there is anything remaining, we can get rid of it.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #5 ·
Hi Folks,

Sorry it took so long to reply. I had to do it tonight when I got home from work.

Here is my "logfile" from the Ad Aware program. There were some instructions about performing a Quarantine or removing files but I decided to post the file first.

Here it is below. I am new to this so if you folks can tell me what to do now that would be great.

I really appreciate all the help !!

jg1234

____________________________________
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, March 23, 2004 9:40:16 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R274 23.03.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R217 08.09.2003
Internal build : 107
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 574398 Bytes
Signature data size : 563299 Bytes
Reference data size : 11035 Bytes
Signatures total : 12937
Target categories : 10
Target families : 267
3-23-2004 9:25:48 PM Performing Webupdate...

Installing Update...
Reference file loaded:
Reference Number : 01R274 23.03.2004
Internal build : 201
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 982472 Bytes
Signature data size : 965349 Bytes
Reference data size : 17059 Bytes
Signatures total : 21741
Target categories : 10
Target families : 464

3-23-2004 9:29:50 PM Success.
Update successfully downlodaded and installed.

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:61 %
Total physical memory:327116 kb
Available physical memory:130432 kb
Total page file size:1024000 kb
Available on page file:921204 kb
Total virtual memory:2093056 kb
Available virtual memory:2040256 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

3-23-2004 9:40:16 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293873999
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:43:30 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294940591
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:32 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294850159
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 5/15/2002 1:45:16 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294851627
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:32 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294836927
Threads : 2
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 5/15/2002 1:44:33 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:6 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294867959
Threads : 16
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 5/15/2002 1:40:37 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:7 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294884659
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:38 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:8 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294782035
Threads : 2
Priority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 1/2/2004 8:15:13 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 1/2/2004 8:15:14 PM

#:9 [exec.exe]
FilePath : C:\WINDOWS\DESKTOP\NETZERO\
ProcessID : 4294792507
Threads : 3
Priority : Normal
FileSize : 88 KB
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
Created on : 11/4/2003 2:51:06 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 11/4/2003 2:51:06 PM

#:10 [olehelp.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294811883
Threads : 1
Priority : Normal
FileSize : 14 KB
Created on : 3/21/2004 4:21:48 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/21/2004 4:22:04 AM

#:11 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294804087
Threads : 3
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:35 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:12 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294833751
Threads : 5
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:38 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:13 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294820771
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 5/15/2002 1:44:43 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:14 [exec.exe]
FilePath : C:\WINDOWS\DESKTOP\NETZERO\
ProcessID : 4294751803
Threads : 33
Priority : Normal
FileSize : 88 KB
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
Copyright : Copyright
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
Created on : 11/4/2003 2:51:06 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 11/4/2003 2:51:06 PM

#:15 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294055507
Threads : 7
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 3/3/2003 10:56:30 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 5/1/2002 11:51:36 PM

#:16 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294160819
Threads : 5
Priority : Normal
FileSize : 72 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 5/15/2002 1:40:40 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:17 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294002539
Threads : 5
Priority : Normal
FileSize : 72 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 5/15/2002 1:40:40 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:18 [realplay.exe]
FilePath : C:\PROGRAM FILES\REAL\REALPLAYER\
ProcessID : 4293928527
Threads : 7
Priority : Normal
FileSize : 200 KB
FileVersion : 6.0.11.868
ProductVersion : 6.0.11.868
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealOne Player
InternalName : REALPLAY
OriginalFilename : REALPLAY.EXE
ProductName : RealOne Player (32-bit)
Created on : 1/2/2004 8:15:25 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 1/2/2004 8:15:26 PM

#:19 [rnathchk.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294392071
Threads : 1
Priority : Normal
FileSize : 56 KB
FileVersion : 7.0.0.1176
ProductVersion : 7.0.0.1176
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks ATH Check App
InternalName : rnathchk
OriginalFilename : rnathchk.EXE
ProductName : RealOne Player (32-bit)
Created on : 1/2/2004 8:15:12 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 1/2/2004 8:15:14 PM

#:20 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294044443
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/24/2004 2:24:55 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Hi-Wire Object recognized!
Type : RegKey
Data :
Category : Misc
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\HIWIRE

Other Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Aveo

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment : "HOMEOldSP"
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\Microsoft\Internet Explorer\Main
Value : HOMEOldSP

Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 6
Objects found so far: 6

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 6

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/22/2004 1:33:54 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/22/2004 1:33:56 PM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/23/2004 7:51:43 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/23/2004 7:51:44 PM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/23/2004 1:43:08 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/23/2004 1:43:10 PM

Tracking Cookie Object recognized!
Type : File
Data : [email protected]rver[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/23/2004 1:45:02 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/23/2004 1:45:04 PM

Tracking Cookie Object recognized!
Type : File
Data : [email protected]ox[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/23/2004 1:43:08 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/23/2004 1:43:10 PM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:09 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:10 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected]4[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:14 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:16 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected]rtising[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:49 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:50 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected]ificpop[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:26 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:28 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:49 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:50 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:49 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:50 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:07:56 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:07:58 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:08:07 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:08:08 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:09:45 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:09:46 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:12:32 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:12:34 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 1:46:12 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 1:46:14 AM

Tracking Cookie Object recognized!
Type : File
Data : [email protected][2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 3/24/2004 2:18:17 AM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/24/2004 2:18:18 AM

CoolWebSearch Object recognized!
Type : File
Data : a0113452.cpy
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\
FileSize : 72 KB
Created on : 3/21/2004 5:30:32 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/21/2004 5:30:56 PM

CoolWebSearch Object recognized!
Type : File
Data : a0113453.cpy
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\
FileSize : 72 KB
Created on : 3/21/2004 5:31:00 PM
Last accessed : 3/23/2004 5:00:00 AM
Last modified : 3/21/2004 5:31:02 PM

Aveo Attune Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : C:\Program Files\Aveo\Attune

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 26

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{48E59291-9880-11CF-9754-00AA00C00908}

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{48E59292-9880-11CF-9754-00AA00C00908}

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : PROTOCOLS\Filter\text/html

CoolWebSearch Object recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Run
Value : svchost

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 4
Objects found so far: 30

10:12:54 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:32:37:540
Objects scanned :165603
Objects identified :30
Objects ignored :0
New objects :30
 

·
Registered
Joined
·
2,438 Posts
All of those items can be removed by Ad-Aware ...

Run the program again, and from the "Scan complete" window ...
Click on "Next".

This will take you to the "Results" window ... to remove everything, right click in the Results List and click "Select all objects".

Click "Next" to remove the chosen objects.
Click "OK".

Then please post a HJT log ...

Go here and download HijackThis v1.97.7: http://www.majorgeeks.com/download.php?det=3155

It is a zip file, so you will need to unzip it.

Run HJT and then you will need to post the contents of the logfile it creates ... simply click "Save log" in order to create it ... it will open in Notepad, and you can copy/paste it here.

Do not fix anything until after the logfile is reviewed. Most of what is found is harmless or essential to the safe workings of your computer.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #7 ·
Winchester73,

Thanks. I will do that as soon as I have a chance - hopefully tonight , otherwise I will have to wait until Friday.

I will try to post the results right away so maybe I can view your response and take some action.

Can't tell you how much I appreciate this !!

jg1234
 

·
Registered
Joined
·
2,438 Posts
Two things I forgot to mention about your Ad-Aware log ...

The Alexa object ... here is some information about it:

Alexa key:HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\ is the "What's related links" feature on your Internet Explorer toolbar. It's not a big deal, if you use it don't delete it. You can add it to the Ad-Aware Ignore list if you want to keep it. Some people find the toolbar handy, others don't, and don't want anything transmitting data about them or their computer, so they remove it.

Alexa technology does use a 'web crawler' (bot) that records the information found on webpages accessed when the 'What's related feature' is being used in Internet Explorer. When the 'What's related feature' in IE is not being used, no information is sent to Alexa.

I should add that if you remove Alexa, and need to reinstall IE or repair it, Alexa will come back automatically ... a service pack update to your OS will likely return it as well.

Alexa's privacy policy:
ALEXA COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW, THE DATA YOU ENTER IN ONLINE FORMS AND SEARCH FIELDS WHILE USING THE ALEXA SOFTWARE, AND, WITH VERSIONS 5.0 AND HIGHER OF THE BROWSER COMPANION SOFTWARE, THE PRODUCTS YOU PURCHASE ONLINE. ALTHOUGH ALEXA DOES NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY ALEXA USER, SOME INFORMATION COLLECTED BY THE SOFTWARE IS PERSONALLY IDENTIFIABLE. ALEXA AGGREGATES AND ANALYZES THE INFORMATION IT COLLECTS TO IMPROVE ITS SERVICE AND TO PREPARE REPORTS ABOUT AGGREGATE WEB USAGE AND SHOPPING HABITS.
The two Windows Media Player targets are safe to delete. They are the Windows Media PlayerClient ID. Removing them will not harm the functionality of WMP in any way. It's only that ID that is being removed, there are no changes made to any WMP core files. Ad-aware 6 will only blank out this number, no other changes are made.

If you remove these two objects, your WMP will continue to function just fine. If you prefer to have your ID transmitted, place the objects in the ignore list.
 

·
Registered
Joined
·
2,438 Posts
AA will remove anything CWS-related that Aaron has in the database ... submissions help him add to the reference file.

There are new, ugly variants appearing all the time.

SmartSearch.2 variant was able to evade CWShredder for a while (not sure if it still does) by re-loading itself with a random string of numbers/letters as the title bar.

While I have no objection or complaints about CWShredder, and it may indeed remove every known CWS variant perfectly ... it doesn't make backups or copies of what is removed, so nothing can be submitted for inclusion into the databases of the various anti-trackware applications. If it were to do so, I'd recommend it more often. Just my own personal bias ... it helps the currently infected user, but does nothing to further the fight to protect the future user.

CWShredder does have a logfile, but it may only display the hijacked registry keys.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #14 ·
Hi Folks,

Sorry it took me awhile to post this Hijack log but I was busy at work. If someone could take a look at the Hijack - log below and let me know what to do that would be great. I used Ad Adware 6.0 - then the HijackThis v1.97.7 to get this log.

Any help would be appreciated. - jg1234

Logfile of HijackThis v1.97.7
Scan saved at 6:13:07 PM, on 3/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE
C:\WINDOWS\OLEHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.inf/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search-all.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-all.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://awebfind.biz/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://awebfind.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://awebfind.biz/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-all.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\NZSEARCHENH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\WINDOWS\DESKTOP\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [uoltray] C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE regrun
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
 

·
Registered
Joined
·
46,353 Posts
Click here to download CWShredder. Close all browser windows,UnZip the file, click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

When it is finished restart your computer.

IMPORTANT!: To help prevent this from happening again, I strongly recommend you install the patches for the vulnerabilities that this hijacker exploits.

The simplest way to make sure you have all the security patches is to go to Windows update and install all "Critical Updates and Service Packs"

Come back here and post another Hijack This log and we'll get rid of what's left.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #16 ·
Flrman1,

Hey - thanks so much - I would be lost without this help.

Here is the latest HijackThis file.

Could you take a look and let me know.

Logfile of HijackThis v1.97.7
Scan saved at 7:24:37 PM, on 3/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\SAVE JG & RESTORE\RESTORE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search-all.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-all.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-all.net/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\NZSEARCHENH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\WINDOWS\DESKTOP\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [uoltray] C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE regrun
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
 

·
Registered
Joined
·
46,353 Posts
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search-all.net/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-all.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-all.net/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-all.net/


Restart your computer.

I'm not so sure you are pasting you whole log here. After you fix those, post one more log. Scan again with HJT and save the log. When it opens in notepad, click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #18 ·
Flrman1,

Again Thanks. I deleted the 4 files like you said and re ran the log.

I may have not copied the log correctly last time. Here is the latest log .

jg1234

Logfile of HijackThis v1.97.7
Scan saved at 7:50:55 PM, on 3/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\SAVE JG & RESTORE\RESTORE\HIJACKTHIS.EXE

R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\NZSEARCHENH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\WINDOWS\DESKTOP\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [uoltray] C:\WINDOWS\DESKTOP\NETZERO\EXEC.EXE regrun
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Dell Home (HKCU)
 

·
Registered
Joined
·
46 Posts
Discussion Starter · #20 ·
Flrman1,

Don't know what to say - except thanks so much - to you and everyone else - great forum.

I will make a donation to keep it going.

Thaks so much !
 
1 - 20 of 21 Posts
Status
Not open for further replies.
Top