Homepage problems

lion6644 · Joined: 13 Mar 2004 Posts: 17

ok i have a problem. my homepage keeps changing to C:\WINDOWS\homepage.htm. i've tried spybot, adaware, and i have spyware blaster. none of them worked. i have downloaded hijack this. can you please help me with this? it's really annoying.

Corrine · Posted: Sat Mar 13, 2004 13:25 pm Post subject:

Hi, lion664. Let's see what we can do to help you out. First I need to see a logfile. Start by checking to ensure that you have the current build. Open Ad-aware and check that it shows Build 6.181 at the bottom right corner of the Ad-Aware start screen.

Next, click to the Globe icon to get the latest reference file. This is illustrated at Webupdate .

Then please set up Ad-Aware for a Full (Custom) Scan using the instructions below and also at Full Scan Settings .

CUSTOM SCAN SETUP:

Ad-Aware 6 comes pre-configured with default options that are already ON (green checkmark) ... do not change them. The following are changes that you will need to make to prepare the "Full" custom scan that is recommended for the first look into your computer (instead of a red "x", you will make them a green "checkmark"):
Launch the program, and click on the Gear at the top of the start screen to access the preferences/setting window.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.

When you are finished, you will be using the Custom Scan with Memory and Both registry scans ON. Please make sure that you activate IN-DEPTH scanning before you proceed.

NOTE: In the free Personal version of A-A, you will notice that some options are greyed out ... these settings are only available for users of the purchased Plus and Professional versions of the program. For the Full Scan setup instructions for the Plus or Professional versions, or if you have previously changed your settings in the Personal version, see this thread: http://www.lavahelp.com/howto/fullscan/index.html

After you have set up these options, be sure to choose "Custom Scan" not "Smart Scan" and choose next.

Scan your computer, don't quarantine or remove anything at this time, just post a complete logfile. You will know your at the end when you see a summary of objects found.

Post back if you have any questions.

Thanks
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

Heres the log file

ArchiveData(auto-quarantine- 12-03-2004 19-12-26.bckp)
======================================================

QUARANTINE FILE DELETED

Corrine · Posted: Sat Mar 13, 2004 17:57 pm Post subject:

What you've posted is your quarantine file, rather than your log file. Please go to C:\Program Files\Lavasoft\Ad-aware 6\Logs and find the logfile with today's date. Double click to open it, click Edit | Select all, Edit | Copy. Then post the logfile as a reply.

Thanks!
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

sorry, heres the log

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, March 13, 2004 3:24:41 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R267 12.03.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R267 12.03.2004
Internal build : 194
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 941552 Bytes
Signature data size : 924908 Bytes
Reference data size : 16580 Bytes
Signatures total : 20875
Target categories : 10
Target families : 446

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:40 %
Total physical memory:261664 kb
Available physical memory:102376 kb
Total page file size:633920 kb
Available on page file:462880 kb
Total virtual memory:2097024 kb
Available virtual memory:2050668 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

3-13-2004 3:24:41 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 3-13-2004 9:10:48 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:10:54 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:10:55 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:25 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:10:55 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:10 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:10:55 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:10:55 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:10:57 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:8 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:10:58 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.13.01.1461
ProductVersion : 5.13.01.1461
Copyright : Copyright
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 14.61
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 14.61
Created on : 9/8/2001 4:53:59 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/8/2001 9:00:00 PM

#:9 [tcpsvcs.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:10:58 PM
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
OriginalFilename : TCPSVCS.EXE
ProductName : Microsoft
Created on : 9/8/2001 4:53:30 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:10 [snmp.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:10:58 PM
BasePriority : Normal
FileSize : 29 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
OriginalFilename : snmp.exe
ProductName : Microsoft
Created on : 3/7/2004 5:37:37 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:10:59 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:12 [tmntsrv.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-13-2004 9:10:59 PM
BasePriority : Normal
FileSize : 119 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : TMNTSRV
InternalName : TMNTSRV
OriginalFilename : TMNTSRV.exe
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:18:54 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:18:54 AM

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 3-13-2004 9:11:33 PM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/8/2001 4:53:04 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:14 [qttask.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-13-2004 9:11:38 PM
BasePriority : Normal
FileSize : 28 KB
Created on : 9/8/2001 6:56:57 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/8/2001 6:56:58 PM

#:15 [pop3trap.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-13-2004 9:11:38 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : Pop3trap
InternalName : Pop3trap
OriginalFilename : Pop3trap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:25:32 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:25:32 AM

#:16 [webtrapnt.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-13-2004 9:11:38 PM
BasePriority : Normal
FileSize : 230 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : WebTrap MFC Application
InternalName : WebTrap
OriginalFilename : WebTrap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:20:08 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:20:08 AM

#:17 [hpwuschd.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ThreadCreationTime : 3-13-2004 9:11:38 PM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
OriginalFilename : hpwuSchd.exe
ProductName : Hewlett-Packard hpwuSchd
Created on : 6/25/2003 5:24:48 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/25/2003 5:24:48 PM

#:18 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ThreadCreationTime : 3-13-2004 9:11:39 PM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
OriginalFilename : HPCmpMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/27/2003 12:50:24 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/27/2003 12:50:24 AM

#:19 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 3-13-2004 9:11:40 PM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.76.046
ProductVersion : 9.76.046
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 2/7/2004 7:19:02 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/19/2003 3:50:00 PM

#:20 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 3-13-2004 9:11:45 PM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 1:30:14 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 4/15/2003 1:30:14 AM

#:21 [tgcmd.exe]
FilePath : c:\progra~1\Support.com\client\bin\
ThreadCreationTime : 3-13-2004 9:11:47 PM
BasePriority : Normal
FileSize : 1376 KB
FileVersion : 5,0,307,0
ProductVersion : 5,0,307,0
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : tgcmd Module
InternalName : TGCMD
OriginalFilename : TGCMD.DLL
ProductName : tgcmd Module
Created on : 8/3/2001 9:39:05 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/4/2001 1:21:42 AM

#:22 [wcescomm.exe]
FilePath : C:\Program Files\Microsoft ActiveSync\
ThreadCreationTime : 3-13-2004 9:11:47 PM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 3.5.0.12007
ProductVersion : 3.5.12007
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 2/7/2004 7:33:21 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/7/2002 7:24:10 PM

#:23 [nclaunch.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 3-13-2004 9:11:49 PM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 2, 2, 0, 106
ProductVersion : 2, 2, 0, 106
Copyright : Copyright
CompanyName : Northcode Inc.
FileDescription : NCLaunch
InternalName : NCLaunch
OriginalFilename : NCLaunch.exe
ProductName : Northcode NCLaunch
Created on : 3/10/2004 1:28:19 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/10/2004 1:28:20 AM

#:24 [vaserv.exe]
FilePath : C:\Program Files\Sony\VAIO Action Setup\
ThreadCreationTime : 3-13-2004 9:11:50 PM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1.4.00.08230
ProductVersion : 1.4.00.08230
Copyright : Copyright 2000,2001 Sony Corp.
CompanyName : Sony Corporation
FileDescription : VAServ Application
InternalName : VAServ
OriginalFilename : VAServ.EXE
ProductName : VAIO Action Setup
Created on : 9/8/2001 6:51:48 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/23/2001 11:11:26 PM

#:25 [pntiomon.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-13-2004 9:11:55 PM
BasePriority : Normal
FileSize : 147 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : PNTIOMON
InternalName : PNTIOMON
OriginalFilename : PNTIOMON.exe
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:17:10 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:17:10 AM

#:26 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ThreadCreationTime : 3-13-2004 9:11:56 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 5.31.0.147
ProductVersion : 005.031.000.147
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
OriginalFilename : HPQTRA00.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 7/7/2003 7:20:40 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 7/7/2003 7:20:40 AM

#:27 [pccntupd.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-13-2004 9:11:58 PM
BasePriority : Normal
FileSize : 38 KB
Created on : 9/7/2001 2:17:28 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:17:28 AM

#:28 [hptskmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\comp\
ThreadCreationTime : 3-13-2004 9:12:05 PM
BasePriority : Normal
FileSize : 124 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Task Management Component
InternalName : HP Task Management Component
OriginalFilename : HPTskMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/27/2003 12:50:24 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/27/2003 12:50:24 AM

#:29 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-13-2004 9:12:13 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 8/11/2003 8:07:38 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/11/2003 8:07:38 AM

#:30 [msn6.exe]
FilePath : C:\Program Files\MSN\MSNCoreFiles\
ThreadCreationTime : 3-13-2004 9:12:42 PM
BasePriority : Normal
FileSize : 92 KB
FileVersion : 7.02.0011.2700
ProductVersion : 7.02.0011.2700
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : msn
InternalName : msn
OriginalFilename : msn.exe
ProductName : Microsoft(R) MSN (R) Communications System
Created on : 11/27/2002 8:54:46 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 11/27/2002 8:54:46 PM

#:31 [aim.exe]
FilePath : C:\Program Files\AIM\
ThreadCreationTime : 3-13-2004 9:12:50 PM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 5.5.3572
ProductVersion : 5.5.3572
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Instant Messenger
InternalName : AIM
OriginalFilename : AIM.EXE
ProductName : AOL Instant Messenger
Created on : 2/7/2004 10:59:47 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/4/2004 8:29:24 PM

#:32 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 3-13-2004 9:13:29 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 9/8/2001 5:04:42 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:33 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\Office\
ThreadCreationTime : 3-13-2004 9:15:10 PM
BasePriority : Normal
FileSize : 8592 KB
FileVersion : 9.0.2717
ProductVersion : 9.0.2717
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Word for Windows
InternalName : WinWord
OriginalFilename : WinWord.exe
ProductName : Microsoft Office 2000
Created on : 3/18/1999 5:38:10 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/18/1999 5:38:10 AM

#:34 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 3-13-2004 9:20:08 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 2/27/2004 5:16:23 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 10f.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:32 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 110.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:32 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 111.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 112.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 113.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 114.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 115.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 117.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

Win32.Backdoor.Jeem Object recognized!
Type : File
Data : 118.tmp
Category : Malware
Comment :
Object : C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\
FileSize : 31 KB
Created on : 3/13/2004 1:02:33 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/27/2004 11:56:10 PM

WildTangent Object recognized!
Type : File
Data : a0008560.cpl
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 44 KB
FileVersion : 1.6.1.2
ProductVersion : 1.6.1.2
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wtcpl
InternalName : wtcpl
OriginalFilename : wtcpl.cpl
ProductName : Wild Tangent wtcpl
Created on : 2/7/2004 11:05:47 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/24/2003 12:48:48 AM

WinlogonEXE Object recognized!
Type : File
Data : a0008561.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 107 KB
Created on : 2/28/2004 12:00:19 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/6/2004 4:43:50 PM

WinlogonEXE Object recognized!
Type : File
Data : a0008562.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 35 KB
Created on : 2/28/2004 12:00:22 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 2/28/2004 12:00:24 AM

WildTangent Object recognized!
Type : File
Data : a0008563.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright (C) 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer
Created on : 2/7/2004 11:05:36 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/12/2004 8:29:28 PM

WildTangent Object recognized!
Type : File
Data : a0008564.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 100 KB
FileVersion : 1.0.0.28
ProductVersion : 1.0.0.28
Copyright : Copyright (C) 2003
CompanyName : Wild Tangent
FileDescription : AIM WD installer
Created on : 2/7/2004 10:59:47 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/12/2004 8:29:28 PM

New.Net Object recognized!
Type : File
Data : a0008565.exe
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 192 KB
Created on : 3/1/2004 9:33:09 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 12/16/2002 10:46:02 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 15

Deep scanning and examining files (D:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Edise Object recognized!
Type : File
Data : a0008566.dll
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 45 KB
Created on : 1/9/2004 11:21:27 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/9/2004 11:21:28 PM

CoolWebSearch Object recognized!
Type : File
Data : a0008567.exe
Category : Malware
Comment :
Object : D:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP26\
FileSize : 7 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright (C) 2003
FileDescription : puper MFC Application
InternalName : puper
OriginalFilename : puper.EXE
ProductName : puper Application
Created on : 1/11/2004 4:27:24 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/25/2004 5:32:36 PM

Disk scan result for D:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 17

Deep scanning and examining files (E:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for E:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 17

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
4 entries scanned.
New objects :0
Objects found so far: 17

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

WildTangent Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Control Panel\MMCPL

WildTangent Object recognized!
Type : Folder
Category : Data Miner
Comment :
Object : c:\windows\wt

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{48E59291-9880-11CF-9754-00AA00C00908}

CoolWebSearch Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{48E59292-9880-11CF-9754-00AA00C00908}

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 4
Objects found so far: 21

3:46:00 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:21:18:375
Objects scanned :276071
Objects identified :21
Objects ignored :0
New objects :21

Corrine · Posted: Sat Mar 13, 2004 18:54 pm Post subject:

Ok, lion6644, good job on posting the logfile! Now, we have several things going on here.

First, please go to C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\ and empty the quarantine file.

Next, carefully follow the instuctions below to clear system restore:

Windows XP

1. Click Start, and then right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Repeat steps 1 through 6, except in step 4, uncheck Turn Off System Restore.

Then after you do this, please create a new restore point:

Got to Start>All Programs>Accessories>System Tools>System Restore. On the next page that comes up you will have three choices, choose Create Restore Point. Then click next type in a description "after cleanup" or something like that. Then choose "Create" then close.

Regarding Wild Tangent, please note that removing the Wild Tangent Object may affect the function of Wild Tangent games. If you find that to be a problem, and wish to have WT on your machine, please reinstall them from the quarantine file, rescan, and place all WT objects in your ignore list.

Follow these steps, to add objects to the ignore-list:

1. On the scan result list, check all items that you want to ignore.
2. Right click in the list window to open the result-list menu,
3. Select "Add selection to ignore-list",
4. Click "OK".

Although ignored items will be counted during the scan as being ignored, they will not show up in the scan-result list.

If you would like to clean up your machine, please make sure that you have these options checked:
Under Ad-aware 6 > Configurations (The gear wheel) > Tweaks > Scanning Engine: "Unload recognized processes during scanning."

Under Ad-aware 6 > Configurations > Tweaks > Cleaning Engine: "Let Windows remove files in use after reboot."

Please leave "Automatically try to unregister objects prior to deletion" - UNchecked

Also, please check to see if you have the option "quarantine all objects prior to removal" checked.

Open Ad-aware > General Options, there is an option "Automatically Quarantine objects prior to removal". When you click on the 'start' button, in the next window, select the 2nd option (Use Custom Scanning options) and make sure 'Activate In-depth scan (recommended) is ticked (ü) green.

Run Ad-Aware.

Mark the objects for removal you wish to get rid of, and then choose next.

Be sure to shutdown/restart after removal.

IMPORTANT

Now if you get to the point where you are trying to remove all of the objects and you have waited a sufficiant amout of time and are sure that the removal has failed...

Try to remove the objects selectively.

In the results window.
Highlite one object that there seems to be a bunch of.
Right click and choose the command to highlite all of those entries.
Then remove them.
Do this with all of the entries with multiple objects.
When you are reduced to just the others with one or a few, remove them.
It may take a couple of scans to complete, but it should work for you.
This is something that is happening on a few rare occasions and we are trying to pinpoint the cause of it, so if you see anything that you think we should know during this removal, please let us know....

If you have any further questions, please don't hesitate to ask. Would you please post a new logfile after your clean your PC.
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

ok so i did what you said and it didn't find anything.
heres the log.

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, March 13, 2004 7:13:00 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R267 12.03.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R267 12.03.2004
Internal build : 194
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 941552 Bytes
Signature data size : 924908 Bytes
Reference data size : 16580 Bytes
Signatures total : 20875
Target categories : 10
Target families : 446

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:34 %
Total physical memory:261664 kb
Available physical memory:86684 kb
Total page file size:633980 kb
Available on page file:492300 kb
Total virtual memory:2097024 kb
Available virtual memory:2053536 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

3-13-2004 7:13:00 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 3-14-2004 1:06:03 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:09 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:10 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:25 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:10 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:10 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:10 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:10 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:12 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:8 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:13 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.13.01.1461
ProductVersion : 5.13.01.1461
Copyright : Copyright
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 14.61
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 14.61
Created on : 9/8/2001 4:53:59 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/8/2001 9:00:00 PM

#:9 [tcpsvcs.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:13 AM
BasePriority : Normal
FileSize : 19 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
OriginalFilename : TCPSVCS.EXE
ProductName : Microsoft
Created on : 9/8/2001 4:53:30 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:10 [snmp.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:13 AM
BasePriority : Normal
FileSize : 29 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
OriginalFilename : snmp.exe
ProductName : Microsoft
Created on : 3/7/2004 5:37:37 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:14 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/8/2001 4:53:29 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:12 [tmntsrv.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-14-2004 1:06:14 AM
BasePriority : Normal
FileSize : 119 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : TMNTSRV
InternalName : TMNTSRV
OriginalFilename : TMNTSRV.exe
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:18:54 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:18:54 AM

#:13 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 3-14-2004 1:06:23 AM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 9/8/2001 4:53:04 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:14 [qttask.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 3-14-2004 1:06:28 AM
BasePriority : Normal
FileSize : 28 KB
Created on : 9/8/2001 6:56:57 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/8/2001 6:56:58 PM

#:15 [pop3trap.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-14-2004 1:06:28 AM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : Pop3trap
InternalName : Pop3trap
OriginalFilename : Pop3trap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:25:32 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:25:32 AM

#:16 [webtrapnt.exe]
FilePath : C:\Program Files\Trend Micro\PC-cillin 2000\
ThreadCreationTime : 3-14-2004 1:06:29 AM
BasePriority : Normal
FileSize : 230 KB
FileVersion : 7.61.0.1399
ProductVersion : 7.61.0
Copyright : Copyright (C) 1998-2001 Trend Micro Inc. All rights reserved.
CompanyName : Trend Micro Inc.
FileDescription : WebTrap MFC Application
InternalName : WebTrap
OriginalFilename : WebTrap.EXE
ProductName : Trend Pc-cillin 7.61
Created on : 9/7/2001 2:20:08 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 9/7/2001 2:20:08 AM

#:17 [hpwuschd.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ThreadCreationTime : 3-14-2004 1:06:29 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpwuSchd
InternalName : hpwuSchd
OriginalFilename : hpwuSchd.exe
ProductName : Hewlett-Packard hpwuSchd
Created on : 6/25/2003 5:24:48 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/25/2003 5:24:48 PM

#:18 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ThreadCreationTime : 3-14-2004 1:06:31 AM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
OriginalFilename : HPCmpMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/27/2003 12:50:24 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/27/2003 12:50:24 AM

#:19 [swtrayv4.exe]
FilePath : C:\PROGRA~1\MICROS~4\GAMECO~1\common\
ThreadCreationTime : 3-14-2004 1:06:32 AM
BasePriority : Normal
FileSize : 20 KB
FileVersion : 4.00.543
ProductVersion : 4.00.543
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : MS SideWinder Tray Application
InternalName : MS SideWinder Tray Application
OriginalFilename : SWTRAYV4.EXE
ProductName : Microsoft Game Controller Software
Created on : 2/26/2004 9:39:21 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 5/13/1999 2:01:12 AM

#:20 [em_exec.exe]
FilePath : C:\Program Files\Logitech\MouseWare\system\
ThreadCreationTime : 3-14-2004 1:06:32 AM
BasePriority : Normal
FileSize : 37 KB
FileVersion : 9.76.046
ProductVersion : 9.76.046
Copyright : (C) 1987-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 2/7/2004 7:19:02 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/19/2003 3:50:00 PM

#:21 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 3-14-2004 1:06:37 AM
BasePriority : Normal
FileSize : 1456 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 1:30:14 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 4/15/2003 1:30:14 AM

#:22 [mshta.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:37 AM
BasePriority : Normal
FileSize : 23 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) HTML Application host
InternalName : MSHTA
OriginalFilename : MSHTA.EXE
ProductName : Microsoft
Created on : 9/8/2001 4:53:13 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:23 [wcescomm.exe]
FilePath : C:\Program Files\Microsoft ActiveSync\
ThreadCreationTime : 3-14-2004 1:06:39 AM
BasePriority : Normal
FileSize : 392 KB
FileVersion : 3.5.0.12007
ProductVersion : 3.5.12007
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 2/7/2004 7:33:21 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 1/7/2002 7:24:10 PM

#:24 [tgcmd.exe]
FilePath : c:\progra~1\Support.com\client\bin\
ThreadCreationTime : 3-14-2004 1:06:40 AM
BasePriority : Normal
FileSize : 1376 KB
FileVersion : 5,0,307,0
ProductVersion : 5,0,307,0
Copyright : Copyright 1997-2069 Support.com
CompanyName : Support.com, Inc.
FileDescription : tgcmd Module
InternalName : TGCMD
OriginalFilename : TGCMD.DLL
ProductName : tgcmd Module
Created on : 8/3/2001 9:39:05 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/4/2001 1:21:42 AM

#:25 [nclaunch.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 3-14-2004 1:06:40 AM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 2, 2, 0, 106
ProductVersion : 2, 2, 0, 106
Copyright : Copyright
CompanyName : Northcode Inc.
FileDescription : NCLaunch
InternalName : NCLaunch
OriginalFilename : NCLaunch.exe
ProductName : Northcode NCLaunch
Created on : 3/10/2004 1:28:19 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 3/10/2004 1:28:20 AM

#:26 [vaserv.exe]
FilePath : C:\Program Files\Sony\VAIO Action Setup\
ThreadCreationTime : 3-14-2004 1:06:42 AM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1.4.00.08230
ProductVersion : 1.4.00.08230
Copyright : Copyright 2000,2001 Sony Corp.
CompanyName : Sony Corporation
FileDescription : VAServ Application
InternalName : VAServ
OriginalFilename : VAServ.EXE
ProductName : VAIO Action Setup
Created on : 9/8/2001 6:51:48 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/23/2001 11:11:26 PM

#:27 [msiexec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:06:50 AM
BasePriority : Normal
FileSize : 62 KB
FileVersion : 2.0.2600.0
ProductVersion : 2.0.2600.0
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Windows
InternalName : msiexec
OriginalFilename : msiexec.exe
ProductName : Windows Installer - Unicode
Created on : 9/8/2001 4:53:14 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:28 [hptskmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\comp\
ThreadCreationTime : 3-14-2004 1:07:01 AM
BasePriority : Normal
FileSize : 124 KB
FileVersion : 1.76.0
ProductVersion : 1.76.0
Copyright : Copyright (C) Hewlett-Packard. 2002-2003
CompanyName : Hewlett-Packard Company
FileDescription : HP Task Management Component
InternalName : HP Task Management Component
OriginalFilename : HPTskMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 6/27/2003 12:50:24 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 6/27/2003 12:50:24 AM

#:29 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ThreadCreationTime : 3-14-2004 1:07:01 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 5.31.0.147
ProductVersion : 005.031.000.147
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
OriginalFilename : HPQTRA00.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 7/7/2003 7:20:40 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 7/7/2003 7:20:40 AM

#:30 [hpzipm12.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 3-14-2004 1:07:20 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 0
ProductVersion : 7, 0, 0, 0
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 8/11/2003 8:07:38 AM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/11/2003 8:07:38 AM

#:31 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 3-14-2004 1:07:23 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 9/8/2001 5:04:42 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 8/18/2001 11:00:00 AM

#:32 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 3-14-2004 1:10:41 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 2/27/2004 5:16:23 PM
Last accessed : 3/13/2004 6:00:00 AM
Last modified : 7/13/2003 4:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (D:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for D:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (E:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for E:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
4 entries scanned.
New objects :0
Objects found so far: 0

7:31:25 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:18:24:359
Objects scanned :266015
Objects identified :0
Objects ignored :0
New objects :0

Corrine · Posted: Sat Mar 13, 2004 21:18 pm Post subject:

Well, CoolWebSearch and WildTangent are now gone from your computer. Do you have your homepage back? If not, we'll move to the next step.
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

bruce bailey · ๑۞๑ Joined: 11 Apr 2002 Posts: 5711 Location: miami

Wouldn't it just be simpler to run RegCleaner and go to the software AND start-up folders and delete the item that is changing the homepage at each start?

herbalist · Joined: 23 Nov 2003 Posts: 568

Bruce Bailey,
If there isn't a pest of some sort involved that is changing this, probably yes. The problem is that the makers of some of this junk have found other ways to do this and change the way it's done on a very regular basis, just to make it hard to get rid of. They also install in the windows, windows system, common files, and other folders. Without knowing the exact name of the pest involved, and the names of the files it adds, what do you delete? A lot of this stuff is designed to re-install itself if parts of it are missed. This has gone way past a few files and registry entries being added. Some even replace a few of your systems files with their own. If you delete them without re-installing the originals, you're offline.
Rick
_________________
Web Surfing:
Sitting in my bunker, here behind my wall, waiting for the worms to come.
Making Windows 98 Run Better.

Corrine · Posted: Sun Mar 14, 2004 9:03 am Post subject:

Additionally, this process turns up the new variants. As a result, the user submits the variant and R&D creates a signature and adds it to the reference files. This then enables others who end up with this on their computer to remove it safely.

I was a major proponent of reg cleaners until I learned how nefarious these objects can be and, as Herbalist indicated, that registry cleaning is not always the solution.
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

ok. my homepage seems to be good. but when i deleted some of the quarantine files from pc-cillin it says it wants to install pc-cillin. this happens every startup. it says it cant find the the PNT2K.Msi install file. i deleted the stuff in my recycle bin so i cant get it back. i'm wondering what happened.

lion6644 · Joined: 13 Mar 2004 Posts: 17

my homepage is changing again. man, this is annoying.

lion6644 · Joined: 13 Mar 2004 Posts: 17

i fixed the pc-cillin, but i still have problems with my homepage.

Corrine · Posted: Sun Mar 14, 2004 11:30 am Post subject:

Then let's move to the next step:

Please go to the link below and download HijackThis:

HijackThis Download

Download then save the file/install to a new folder called HijackThis or something similar not your Desktop or the Temp folder and double click on the "HijackThis" icon.
When finished loading click on the "Scan button".
Next click on the "Save Log" button.
Save the log somewhere you will remember and open the log file with notepad.
Then copy the contents and paste them in a reply to be checked.
Please do not fix anything yet with this or any other program as most of what it shows is harmless. When our experts examine this they will tell you what to fix, and if anything needs to be submitted to us for evaluation.

After you have scanned with HJT, please copy and paste the logfile below as a reply.

Thanks, and good luck.
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

here's the log

Logfile of HijackThis v1.97.7
Scan saved at 2:11:13 PM, on 3/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Adam\download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\homepage.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1424.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\System32\realupd.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Corrine · Posted: Sun Mar 14, 2004 15:24 pm Post subject:

Thank you lion6644. I've submitted a request for a SuperExpert to look at your HJT log. They have a list of close to 12 ahead of yours, but I know they'll get to you in due course. Just keep checking back for instructions.
_________________
Freedomlist.com (March 1, 2000 - 2013)

Take a walk through my Security Garden

lion6644 · Joined: 13 Mar 2004 Posts: 17

sounds good.

SpyDie · Malware Response Team Joined: 21 Feb 2004 Posts: 90

Please submit the following bold-face files to: http://submit.lavahelp.com

Simply copy/paste the files one at a time into the box that reads "Submission File". Click "Submit new or updated target". Wait for it to upload. Then repeat with the next one ...

C:\WINDOWS\System32\realupd.exe
C:\WINDOWS\shell32.dll

Run HijackThis again, close all open windows, put a checkmark next to the following, and press "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\homepage.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://1-se.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\homepage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://1-se.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://1-se.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://1-se.com/srchasst.html (obfuscated)
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\System32\realupd.exe

Re-boot/Restart the computer.

Delete these files:

C:\WINDOWS\System32\realupd.exe
C:\WINDOWS\shell32.dll

lion6644 · Joined: 13 Mar 2004 Posts: 17

i deleted the first one ok. but the second one, which wasnt under windows but under system32, i couldn't delete. it said access denied.