Author Topic: everydaypain.info, tasks file, etc. (Read 2840 times)

AtomHeart · « **on:** June 16, 2005, 07:02:54 PM »

Help! I've been infected by some virus that keeps re-installing itself on my PC. There are also registry entries that will not allow me to delete them (under the below "trusted zone" registry entries). Following is the hijack this log:

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

Any help one could offer would be greatly appreciated! Thanks.

Hurricane · « **Reply #1 on:** June 16, 2005, 10:15:59 PM »

Atom
Please look above the top posting today to the pinned post by Guestello ,, How to post a HJT log..,,,, after the HJT scan, clk save log.
Post the entire log .

AtomHeart · « **Reply #2 on:** June 17, 2005, 09:00:38 PM »

Thanks Hurricane. I also followed his advice and dl'd the update HJT. Following is the complete log:

Logfile of HijackThis v1.99.1
Scan saved at 7:00:06 PM, on 6/17/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.everydaypain.info/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.everydaypain.info/homepage.html
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\MAXIFI~1\MAXIFI~1.DLL
O3 - Toolbar: Maxifiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Maxifiles\maxifiles.dll
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

I was trying to do a lot of cleaning today. The problem I seem to be having is that I've got some embedded registry entries that I can't delete. They fall under the registry entries of "zonemap\domains". The above log shows them in the "trusted zone" category.

Thanks again.

guestolo · « **Reply #3 on:** June 18, 2005, 03:23:13 AM »

Unfortunately, you didn't supply the WHOLE log that hijackthis output
Please run another scan with hijackthis and save the log file
When the text file opens
Select EDIT>>Select all
Right click and choose Copy
Paste the whole log back here in your next reply

AtomHeart · « **Reply #4 on:** June 20, 2005, 10:49:48 AM »

Thanks again. Here it is, exactly as instructed:

Logfile of HijackThis v1.99.1
Scan saved at 8:53:40 AM, on 6/20/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nsu2.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

AtomHeart · « **Reply #5 on:** June 20, 2005, 09:14:05 PM »

I tried something else too. I ran Ad-Aware (noted as (a), below), then quarantined/cleaned all the registry entries as indicated. Then I ran Ad-Aware again (

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />, and noted that there are still 5 registry entries that I can't delete. I tried them manually in the registry editor, and can't delete them there also. There's other entries there as well under the same sub-folder that don't appear in Ad-Aware. Then I ran HJT ©, and fixed everything as indicated. I then re-booted and ran HJT again (d). Following are all 4 logs (a thru d below):

A)
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 20, 2005 6:47:55 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
begin2search(TAC index:3):20 total references
MediaMotor(TAC index:

:2 total references
MRU List(TAC index:0):1 total references
Possible Browser Hijack attempt(TAC index:3):22 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-20-05 6:47:55 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [delldmi.exe]
FilePath : C:\DMI\bin\
ProcessID : 78
ThreadCreationTime : 6-20-05 4:21:42 PM
BasePriority : Normal

#:2 [nddeagnt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 99
ThreadCreationTime : 6-20-05 4:21:43 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Network DDE Agent
InternalName : NDDEAGNT.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : NDDEAGNT.EXE

#:3 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 121
ThreadCreationTime : 6-20-05 4:21:46 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1991-1995
OriginalFilename : EXPLORER.EXE

#:4 [dnar.exe]
FilePath : C:\DMI\bin\
ProcessID : 165
ThreadCreationTime : 6-20-05 4:21:51 PM
BasePriority : Normal

#:5 [ddhelp.exe]
FilePath : C:\WINNT\System32\
ProcessID : 132
ThreadCreationTime : 6-20-05 8:45:25 PM
BasePriority : Normal
FileVersion : 4.04
ProductVersion : 4.04
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Direct Draw Helper
InternalName : ddhelp
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : ddhelp

#:6 [cmd.exe]
FilePath : C:\WINNT\system32\
ProcessID : 333
ThreadCreationTime : 6-21-05 1:05:40 AM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows NT Command Processor
InternalName : cmd
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : Cmd.Exe

#:7 [services.exe]
FilePath : C:\Program Files\Common Files\
ProcessID : 238
ThreadCreationTime : 6-21-05 1:05:41 AM
BasePriority : Normal

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 260
ThreadCreationTime : 6-21-05 1:43:07 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.amo

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.amo.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.iiittt

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.iiittt.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.momo

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.momo.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.ohb

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.ohb.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0962da67-db64-465c-8cd7-cbb357caf825}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{356b2bd0-d206-4e21-8c85-c6f49409c6a9}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{52add86d-9561-4c40-b561-4204dbc139d1}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{999a06ff-10ef-4a29-8640-69e99882c26b}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{da15c9a2-c30a-4761-922a-5dfe7c9a1f67}

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e0ce16cb-741c-4b24-8d04-a817856e07f4}

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : iobjsafety.democtl

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{999a06ff-10ef-4a29-8640-69e99882c26b}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 22
Objects found so far: 23

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : f1organizer.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : f1organizer.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\f1organizer.com
Trusted zone presumably compromised : media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
Trusted zone presumably compromised : slotch.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : slotch.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
Trusted zone presumably compromised : xxxtoolbar.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : xxxtoolbar.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
Trusted zone presumably compromised : addictivetechnologies.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : addictivetechnologies.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net
Trusted zone presumably compromised : clickspring.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : clickspring.net
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : searchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmiracle.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
Trusted zone presumably compromised : slotch.com
Trusted zone presumably compromised : static.topconverting.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : static.topconverting.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com
Trusted zone presumably compromised : topconverting.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : topconverting.com
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\topconverting.com
Trusted zone presumably compromised : f1organizer.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : f1organizer.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\f1organizer.com
Trusted zone presumably compromised : media-motor.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : media-motor.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\media-motor.net
Trusted zone presumably compromised : slotch.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : slotch.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
Trusted zone presumably compromised : xxxtoolbar.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : xxxtoolbar.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
Trusted zone presumably compromised : addictivetechnologies.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : addictivetechnologies.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net
Trusted zone presumably compromised : clickspring.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : clickspring.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : searchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmiracle.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
Trusted zone presumably compromised : slotch.com
Trusted zone presumably compromised : static.topconverting.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : static.topconverting.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com
Trusted zone presumably compromised : topconverting.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : topconverting.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\topconverting.com
Possible Browser Hijack attempt : {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (http://cabs.media-motor.net/cabs/joysaver.cab)

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://cabs.media-motor.net/cabs/joysaver.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Possible Browser Hijack attempt : http://cabs.media-motor.net/cabs/joysaver.cab
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7149E79C-DC19-4C5E-A53C-A54DDF75EEE9}
Value : Installer

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 22
Objects found so far: 45

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 45

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 45

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 45
6:50:42 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:47.381
Objects scanned:58200
Objects identified:44
Objects ignored:0
New critical objects:44

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, June 20, 2005 6:52:53 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
Possible Browser Hijack attempt(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-20-05 6:52:53 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\WINNT\Profiles\wriddle\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [delldmi.exe]
FilePath : C:\DMI\bin\
ProcessID : 78
ThreadCreationTime : 6-20-05 4:21:42 PM
BasePriority : Normal

#:2 [nddeagnt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 99
ThreadCreationTime : 6-20-05 4:21:43 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Network DDE Agent
InternalName : NDDEAGNT.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : NDDEAGNT.EXE

#:3 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 121
ThreadCreationTime : 6-20-05 4:21:46 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1991-1995
OriginalFilename : EXPLORER.EXE

#:4 [dnar.exe]
FilePath : C:\DMI\bin\
ProcessID : 165
ThreadCreationTime : 6-20-05 4:21:51 PM
BasePriority : Normal

#:5 [ddhelp.exe]
FilePath : C:\WINNT\System32\
ProcessID : 132
ThreadCreationTime : 6-20-05 8:45:25 PM
BasePriority : Normal
FileVersion : 4.04
ProductVersion : 4.04
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Direct Draw Helper
InternalName : ddhelp
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : ddhelp

#:6 [cmd.exe]
FilePath : C:\WINNT\system32\
ProcessID : 333
ThreadCreationTime : 6-21-05 1:05:40 AM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows NT Command Processor
InternalName : cmd
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : Cmd.Exe

#:7 [services.exe]
FilePath : C:\Program Files\Common Files\
ProcessID : 238
ThreadCreationTime : 6-21-05 1:05:41 AM
BasePriority : Normal

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 260
ThreadCreationTime : 6-21-05 1:43:07 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : slotch.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : slotch.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
Trusted zone presumably compromised : xxxtoolbar.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : xxxtoolbar.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
Trusted zone presumably compromised : clickspring.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : clickspring.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : searchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmiracle.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
Trusted zone presumably compromised : slotch.com

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 8

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 8
6:55:40 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:46.809
Objects scanned:58194
Objects identified:5
Objects ignored:0
New critical objects:5

C)
Logfile of HijackThis v1.99.1
Scan saved at 6:58:11 PM, on 6/20/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - (no file)
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - (no file)
O2 - BHO: XBTB07618 - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - (no file)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

D)
Logfile of HijackThis v1.99.1
Scan saved at 7:01:59 PM, on 6/20/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

The root problem seems to be these "trusted zones" that appear in the registry editor. Though I can delete them manually within the HKEY_CURRENT_USER registry (they still re-appear later), I CANNOT delete them manually within the LOCAL_MACHINE directory.

They appear within the following directory:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains. The sub-folders (that I can't delete) are titled as follows:

blazefind.com
clickspring.net
flingstone.com
frame.crazywinnings.com
mt-download.com
my-internet.info
searchbarcash.com
searchmiracle.com
skoobidoo.com
slotch.com
slotchbar.com
windupdates.com
xxxtoolbar.com
ysbweb.com

My practical knowledge only goes so far. In this case, I would certainly appreciate some help! Anything you could offer so as to rid this PC of these little nasties would be forever remembered.

Thanks again,

AH

guestolo · « **Reply #6 on:** June 20, 2005, 09:53:05 PM »

Good work AtomHeart

Ad-Aware's a great program

Can you do the following also
Download and UNZIP to the desktop
DelDomains.zip
So you now have Deldomains.inf extracted

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

If you don't have the latest version of Spybot
Download and Install Spybot S&D 1.4
From the above link or HERE
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process

Back in Windows

Make sure that these files are gone, if not delete them
C:\winstall.exe <-file
C:\WINNT\Desktop.html <-file
C:\Program Files\Common Files\mc-58-12-0000093.exe <-file
and this folder
C:\Program Files\SpySheriff <-folder

I would also suggest that you run an Online virus scan at Panda's
There's a link to the free scan in my signature below
You must use Internet Explorer to run this scan
Please save the report afterwards and post the results

Could you also run another scan with Hijackthis and post a fresh log

Is Norton's AV running properly?
It looks like the Run entries are missing, you may have to resort to uninstalling it and reinstalling

Not sure why I can't see your running processes in your log
Seen this happen with other Windows NT logs
Can you also do the following
Open Hijackthis>>Open Misc tools Section>>Open Process Manager
In the Process manager can you click on the Floppy disk icon (Save list to file)
Save the list to desktop and copy and paste it back here

Well your in Misc tools section could you also
click on Hosts File Manager
Click the "Open in Notepad"
A text file should open, can you copy and paste back the whole contents of the Hosts text file too, thanks

AtomHeart · « **Reply #7 on:** June 21, 2005, 09:48:14 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']Can you do the following also
Download and UNZIP to the desktop
DelDomains.zip
So you now have Deldomains.inf extracted

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries[/quote]

When attempting to install, I get an error message - "Installation Failed"

AtomHeart · « **Reply #8 on:** June 21, 2005, 09:52:05 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']If you don't have the latest version of Spybot
Download and Install Spybot S&D 1.4
From the above link or HERE
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish the cleaning process[/quote]

When attempting to install this program, I receive the following error message - "You must be logged in as Administrator or as a member of the Power Users Group when installing this program."

Unfortunately, this is a common workstation computer accessed anywhere from 3-4 people - however it is I who am responsible for the station, but not in an administrative role.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

AtomHeart · « **Reply #9 on:** June 21, 2005, 09:53:40 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']Back in Windows

Make sure that these files are gone, if not delete them
C:\winstall.exe <-file
C:\WINNT\Desktop.html <-file
C:\Program Files\Common Files\mc-58-12-0000093.exe <-file
and this folder
C:\Program Files\SpySheriff <-folder[/quote]

I've deleted them, but it appears as though they intermittently re-install at various times after a while.

AH

AtomHeart · « **Reply #10 on:** June 21, 2005, 09:57:24 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']I would also suggest that you run an Online virus scan at Panda's
There's a link to the free scan in my signature below
You must use Internet Explorer to run this scan
Please save the report afterwards and post the results[/quote]

Following is the Panda scan report:

Incident Status Location

Virus:W32/Admincash.B No disinfected Operating system
Adware:Adware/Beginto No disinfected C:\WINNT\System32\nsz15C.dll
Adware:Adware/SaveNow No disinfected C:\WINNT\System32\ap2nqrd4.dat
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\System32\exclean.exe
Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/AdClicker No disinfected C:\WINNT\usta33.ini
Adware:Adware/XPlugin No disinfected Windows Registry
Adware:Adware/SAHAgent No disinfected C:\WINNT\unstall.exe
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINNT\System32\a95kfrhe.ini
Adware:Adware/ExactSearch No disinfected C:\WINNT\exdl.exe
Adware:Adware/Beginto No disinfected C:\WINNT\System32\nsz15C.dll
Adware:Adware/SBSoft No disinfected C:\WINNT\System32\ie2cltr.dll
Adware:Adware/Kingporn No disinfected C:\TEMP\ExtractDLL.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINNT\drexinit.dll
Adware:Adware/Transponder No disinfected C:\TEMP\directrevenue.id
Virus:Bck/Dumador.O Disinfected Operating system
Adware:Adware/Pacimedia No disinfected C:\WINNT\Profiles\wriddle\Favorites\1111\1111.url
Adware:Adware/Adsmart No disinfected C:\WINNT\System32\vx.tll
Adware:Adware/IGuard No disinfected C:\WINNT\System32\wldr.dll
Adware:Adware/Admess No disinfected Windows Registry
Adware:Adware/Nowfind No disinfected C:\WINNT\System32\wirl.dll
Virus:Trj/Downloader.CFJ Disinfected Operating system
Adware:Adware/Startpage.ACD No disinfected C:\WINNT\ahadp.exe
Virus:Trj/Small.LV Disinfected Operating system
Adware:Adware/Maxifiles No disinfected Windows Registry
Adware:Adware/G-search No disinfected C:\WINNT\FONTS\web.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsr5.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsn53.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsd124.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINNT\SYSTEM32\audissrp.exe
Adware:Adware/IGuard No disinfected C:\WINNT\SYSTEM32\wldr.dll
Virus:Trj/Agent.PN Disinfected C:\WINNT\SYSTEM32\max3548.dll
Adware:Adware/Findspy No disinfected C:\WINNT\SYSTEM32\fixmapirs.exe
Spyware:Spyware/FastSearchWeb No disinfected C:\WINNT\SYSTEM32\docntrop.dll
Virus:Trj/Symesta.C Disinfected C:\WINNT\SYSTEM32\jltD3D.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsl6F.dll
Virus:Trojan Horse Disinfected C:\WINNT\SYSTEM32\sp.dat
Virus:Trj/Narod.B Disinfected C:\WINNT\SYSTEM32\systemp.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsw81.dll
Virus:Trj/Narod.B Disinfected C:\WINNT\SYSTEM32\sysp.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nscB9.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsp42.dll
Adware:Adware/SBSoft No disinfected C:\WINNT\SYSTEM32\ie2cltr.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsv93.dll
Adware:Adware/Startpage.ABR No disinfected C:\WINNT\SYSTEM32\spkwz.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsi2.dll
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\exdl.exe
Adware:Adware/Startpage.FG No disinfected C:\WINNT\SYSTEM32\wirl.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nskEF.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\mac80ex.idf[Uninstall.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\mac80ex.idf[bargains.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\mac80ex.idf[adv.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\mac80ex.idf[adx.exe]
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nst91.dll
Adware:Adware/Startpage.ZF No disinfected C:\WINNT\SYSTEM32\spcgw.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsu142.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsu2.dll
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\exdl0.exe
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\mqexdlm.srg
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\exclean.exe
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\exdl1.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsf9E.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsz15C.dll
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[exdl.exe]
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[msexreg.exe]
Adware:Adware/ExactSearch No disinfected C:\WINNT\SYSTEM32\netut80ex.vxd[exclean.exe]
Virus:Trj/HaxSpy.A Disinfected C:\WINNT\SYSTEM32\mspdnx.dll
Adware:Adware/SearchExe No disinfected C:\WINNT\SYSTEM32\iapb.dll
Virus:W32/Admincash.B Disinfected C:\WINNT\Fonts\web.exe
Virus:Trj/Downloader.BWL Disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\UZH4P71F\reserv[1].exe
Adware:Adware/TopConvert No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\UZH4P71F\protect[1].htm
Virus:Trj/Downloader.CTU Disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\on-line[1].exe
Virus:Trj/Lowzones.CS Disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\ieac[1].exe
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\a1[1].htm
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\MediaTicketsInstaller[1].cab
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.ocx]
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\MediaTicketsInstaller[1].cab[MediaTicketsInstaller.INF]
Adware:Adware/TopSpyware No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\9J0QCFGR\dd[1].exe
Adware:Adware/SBSoft No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\0BKBAPI1\desktop[1].exe
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\0BKBAPI1\a2[1].htm
Adware:Adware/ISearch No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\6F2RAH6D\toolbar[1].exe
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\hsmith\Temporary Internet Files\Content.IE5\6F2RAH6D\mtrslib2[2].js
Virus:Trj/Qhost.Q Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\hosts[1].txt
Adware:Adware/Adsmart No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\ms2[1].txt
Adware:Adware/SpywareNo No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\ms3[1].txt
Adware:Adware/WinAD No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\MediaAccess[1].exe
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\load2[1].exe[backup.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\load2[1].exe[cls.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\load2[1].exe[reboot.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\load2[1].exe[restore.exe]
Adware:Adware/Maxifiles No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\dnscatcher[1].exe
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\QHI74Z07\MediaTicketsInstaller[2].cab[MediaTicketsInstaller.INF]
Virus:Trj/LowZones.EZ Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\8Z6DSBQX\tool[1].txt
Virus:Trj/Downloader.BBA Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\8Z6DSBQX\tool1[1].txt
Virus:Trj/Downloader.LP Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\8Z6DSBQX\tibs[1].php
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\8Z6DSBQX\a2[1].htm
Adware:Adware/TopConvert No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\mp3[2].ocx
Adware:Adware/TopConvert No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\mp3[1].ocx
Adware:Adware/WinAD No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\bridge-c18[1].cab
Adware:Adware/WinAD No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\bridge-c18[1].cab[MediaAccX.dll]
Virus:Trj/Small.GV No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\J6PDbgsaYdLk3onob-j2[1].chm[1.htm]
Adware:Adware/Startpage.YM No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\paytime[1].txt
Virus:Exploit/Mhtredir.gen Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\index2[2].htm
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\load2[1].exe[backup.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\load2[1].exe[cls.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\load2[1].exe[reboot.exe]
Virus:Trojan Horse No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\load2[1].exe[restore.exe]
Adware:Adware/Maxifiles No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\dnscatcher[1].exe
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\MediaTicketsInstaller[2].cab[MediaTicketsInstaller.INF]
Adware:Adware/Beginto No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\tool2[1].txt
Virus:Trj/Downloader.UV Disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\ase[1].exe
Adware:Adware/TopConvert No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\mp3[1].ocx
Adware:Adware/MediaTickets No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\mtrslib2[1].js
Adware:Adware/EliteBar No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\v3cab[1].cab
Adware:Adware/EliteBar No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\v3cab[1].cab[v3.dll]
Adware:Adware/EliteBar No disinfected C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\v3cab[1].cab[v3cab.inf]
Virus:W32/Admincash.B No disinfected C:\WINNT\EXPLORER.EXE
Virus:Bck/WayPlay.A Disinfected C:\WINNT\wavplay.exe
Virus:Trj/Agent.VD Disinfected C:\WINNT\drexinit.dll
Adware:Adware/WinTools No disinfected C:\WINNT\Temp\TBuninst.exe
Adware:Adware/ExactSearch No disinfected C:\WINNT\exdl.exe
Virus:Trj/Qhost.Q Disinfected C:\WINNT\hosts
Virus:Trj/Multidropper.NB Disinfected C:\WINNT\ahadp.exe
Adware:Adware/2Z0o No disinfected C:\WINNT\hwfysvc.exe
Adware:Adware/2Z0o No disinfected C:\WINNT\ojtrenc.exe
Virus:Trojan Horse Disinfected C:\bitmap.tmp
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\protect.exe
Adware:Adware/SpywareNo No disinfected C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\sefe.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\CxtPls.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\WinGenerics.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\uninstaller.exe
Virus:Trojan Horse Disinfected C:\TEMP\bnja.bat
Spyware:Spyware/Dyfuca No disinfected C:\TEMP\asfjkk32.tmp
Adware:Adware/Envolo No disinfected C:\TEMP\AutoUpdate0\setup.inf
Adware:Adware/nCase No disinfected C:\TEMP\res4A.tmp
Virus:Trj/Small.LV Disinfected C:\TEMP\1.qtdfmp
Virus:Trj/Downloader.CRY Disinfected C:\TEMP\6.qtdfmp
Spyware:Spyware/SafeSurf No disinfected C:\TEMP\ExtractDLL.dll
Adware:Adware/Adsmart No disinfected C:\TEMP\7.qtdfmp
Virus:Trj/Lowzones.FO Disinfected C:\TEMP\vxt2.game
Virus:Trj/Shellbot.B Disinfected C:\TEMP\vx2.game
Virus:Trj/Downloader.BWL Disinfected C:\TEMP\vxt1.game
Spyware:Spyware/Media-motor No disinfected C:\TEMP\ICD1.tmp\m67m.inf
Spyware:Spyware/Media-motor No disinfected C:\TEMP\ICD1.tmp\m67m.ocx
Adware:Adware/nCase No disinfected C:\TEMP\res77.tmp
Adware:Adware/nCase No disinfected C:\TEMP\res5A.tmp
Adware:Adware/nCase No disinfected C:\TEMP\resB.tmp
Adware:Adware/nCase No disinfected C:\TEMP\res8.tmp
Adware:Adware/nCase No disinfected C:\TEMP\res4E.tmp
Adware:Adware/nCase No disinfected C:\TEMP\180sainstallernusac.exe
Adware:Adware/nCase No disinfected C:\TEMP\res25.tmp
Adware:Adware/nCase No disinfected C:\TEMP\res20.tmp
Spyware:Spyware/Media-motor No disinfected C:\TEMP\ICD2.tmp\m67m.inf
Spyware:Spyware/Media-motor No disinfected C:\TEMP\ICD2.tmp\m67m.ocx
Spyware:Spyware/BetterInet No disinfected C:\TEMP\-1.exe
Adware:Adware/SAHAgent No disinfected C:\setup4002b.ini
Adware:Adware/SAHAgent No disinfected C:\webinstaller.dll
Virus:Trj/Downloader.BWL Disinfected C:\RECYCLED\DC34.DAT

(it doesn't appear as though the data is lining up properly in their respective fields. Let me know if you want me to re-post this in some other fashion. Thx.)

AH

AtomHeart · « **Reply #11 on:** June 21, 2005, 10:01:34 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']Could you also run another scan with Hijackthis and post a fresh log[/quote]

I also ran Ad-Aware again. Following are the logs before and after:

Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, June 21, 2005 7:23:32 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
begin2search(TAC index:3):20 total references
ClickSpring(TAC index:6):4 total references
Hijacker.TopConverting(TAC index:5):1 total references
MediaMotor(TAC index:

:2 total references
MRU List(TAC index:0):4 total references
Possible Browser Hijack attempt(TAC index:3):5 total references
Search Miracle(TAC index:5):1 total references
TIB Browser(TAC index:6):7 total references
TX4.BrowserAd(TAC index:3):2 total references
VX2(TAC index:10):2 total references
Zango(TAC index:6):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-21-05 7:23:32 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\WINNT\Profiles\wriddle\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word

MRU List Object Recognized!
Location: : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [delldmi.exe]
FilePath : C:\DMI\bin\
ProcessID : 68
ThreadCreationTime : 6-21-05 2:49:53 PM
BasePriority : Normal

#:2 [nddeagnt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 96
ThreadCreationTime : 6-21-05 2:49:53 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Network DDE Agent
InternalName : NDDEAGNT.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : NDDEAGNT.EXE

#:3 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 107
ThreadCreationTime : 6-21-05 2:49:55 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1991-1995
OriginalFilename : EXPLORER.EXE

#:4 [dnar.exe]
FilePath : C:\DMI\bin\
ProcessID : 187
ThreadCreationTime : 6-21-05 2:50:06 PM
BasePriority : Normal

#:5 [ddhelp.exe]
FilePath : C:\WINNT\System32\
ProcessID : 280
ThreadCreationTime : 6-21-05 4:25:44 PM
BasePriority : Normal
FileVersion : 4.04
ProductVersion : 4.04
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Direct Draw Helper
InternalName : ddhelp
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : ddhelp

#:6 [iexplore.exe]
FilePath : C:\PROGRA~1\Plus!\MICROS~1\
ProcessID : 291
ThreadCreationTime : 6-21-05 11:46:56 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:7 [tmp.exe]
FilePath : C:\Program Files\DNS\
ProcessID : 267
ThreadCreationTime : 6-22-05 2:22:39 AM
BasePriority : Normal
FileVersion : 3, 1, 0, 15
Comments : http://www.autoitscript.com/autoit3/compiled.html

#:8 [sac.exe]
FilePath : C:\Program Files\180searchassistant\
ProcessID : 134
ThreadCreationTime : 6-22-05 2:22:50 AM
BasePriority : Normal
FileVersion : 6, 8, 196, 0
ProductVersion : 6, 8, 196, 0
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2005, 180solutions Inc.

Zango Object Recognized!
Type : Process
Data : sac.exe
TAC Rating : 6
Category : Data Miner
Comment : (CSI MATCH)
Object : C:\Program Files\180searchassistant\
FileVersion : 6, 8, 196, 0
ProductVersion : 6, 8, 196, 0
ProductName : Search Assistant
CompanyName : 180solutions, Inc.
FileDescription : Search Assistant
LegalCopyright : Copyright © 2005, 180solutions Inc.

Warning! Zango Object found in memory(C:\Program Files\180searchassistant\sac.exe)

Warning! "C:\Program Files\180searchassistant\sac.exe"Process could not be terminated!
"C:\Program Files\180searchassistant\sac.exe"Process terminated successfully

#:9 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 249
ThreadCreationTime : 6-22-05 2:23:17 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 5

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.amo

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.amo.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.iiittt

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.iiittt.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.momo

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.momo.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.ohb

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : trfdsk.ohb.1

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0962da67-db64-465c-8cd7-cbb357caf825}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{356b2bd0-d206-4e21-8c85-c6f49409c6a9}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{52add86d-9561-4c40-b561-4204dbc139d1}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{999a06ff-10ef-4a29-8640-69e99882c26b}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{018c5406-aee6-4a68-980f-2ceb1e9416fb}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{0a7fc040-f84a-4ad7-9439-798b6c0f861e}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{32a9d21f-f510-44dc-9ea6-0456eda04668}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4562b6f3-daf8-464e-87b7-5464575f0d6a}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c93cc79d-02d5-45b0-be39-7f5b0e5dda31}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{da4b919f-b757-4e32-8d79-dec5c2704c4b}

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{da15c9a2-c30a-4761-922a-5dfe7c9a1f67}

ClickSpring Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7}

ClickSpring Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{9eb320ce-be1d-4304-a081-4b4665414bef}

Hijacker.TopConverting Object Recognized!
Type : Regkey
Data :
TAC Rating : 5
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2b0eceac-f597-4858-a542-d966b49055b9}

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e0ce16cb-741c-4b24-8d04-a817856e07f4}

MediaMotor Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : iobjsafety.democtl

TX4.BrowserAd Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{31ca5c07-7f5f-4502-8c77-99a91558add0}

TX4.BrowserAd Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{223a26d8-9f91-42f6-8ed3-094b637de020}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{99410cde-6f16-42ce-9d49-3807f78f0287}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.clientinstaller

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.clientinstaller.1

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.requiredcomponent

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clientax.requiredcomponent.1

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{0ac49246-419b-4ee0-8917-8818daad6a4e}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{ddea2e1d-8555-45e5-af09-ec9aa4ea27ad}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f1f1e775-1b21-454d-8d38-7c16519969e5}

Zango Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{5b6689b5-c2d4-4dc7-bfd1-24ac17e5fcda}

TIB Browser Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Dialer
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-994324759-1203005500-1232828436-2498\software\websiteviewer

begin2search Object Recognized!
Type : Regkey
Data :
TAC Rating : 3
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{999a06ff-10ef-4a29-8640-69e99882c26b}

ClickSpring Object Recognized!
Type : Regkey
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{9eb320ce-be1d-4304-a081-4b4665414bef}

ClickSpring Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\code store database\distribution units\{9eb320ce-be1d-4304-a081-4b4665414bef}
Value : Installer

TIB Browser Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Dialer
Comment : "lc"
Rootkey : HKEY_USERS
Object : S-1-5-21-994324759-1203005500-1232828436-2498\software\websiteviewer\settings
Value : lc

TIB Browser Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Dialer
Comment : "Windows Service"
Rootkey : HKEY_USERS
Object : S-1-5-21-994324759-1203005500-1232828436-2498\software\microsoft\windows\currentversion\run
Value : Windows Service

TIB Browser Object Recognized!
Type : RegValue
Data :
TAC Rating : 6
Category : Dialer
Comment : "Windows Service"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\run
Value : Windows Service

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 42
Objects found so far: 47

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : slotch.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : slotch.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
Trusted zone presumably compromised : xxxtoolbar.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : xxxtoolbar.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
Trusted zone presumably compromised : clickspring.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : clickspring.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : searchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 8
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmiracle.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
Trusted zone presumably compromised : slotch.com

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 52

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 52

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

TIB Browser Object Recognized!
Type : File
Data : 127062.exe
TAC Rating : 6
Category : Dialer
Comment :
Object : C:\

TIB Browser Object Recognized!
Type : File
Data : dload.exe
TAC Rating : 6
Category : Dialer
Comment :
Object : C:\WINNT\SYSTEM32\

VX2 Object Recognized!
Type : File
Data : thin-94-1-x-x[1].exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SZC3GJIZ\
FileVersion : 2, 0, 1, 8
ProductVersion : 2, 0, 1, 8
ProductName : Thinstaller
CompanyName : BetterInternet, Inc.
FileDescription : www.abetterinternet.com - Utility for downloading files and upgrading software.
InternalName : Install Utility
LegalCopyright : BetterInternet, Inc. © 2005
OriginalFilename : Thinstaller.exe
Comments : Utility for downloading files and upgrading software. Visit www.abetterinternet.com for more info.

Object "v3.dll" found in this archive.

Search Miracle Object Recognized!
Type : File
Data : v3cab[1].cab
TAC Rating : 5
Category : Malware
Comment : Object "v3.dll" found in this archive.
Object : C:\WINNT\Profiles\wriddle\Temporary Internet Files\Content.IE5\SHAVK1QJ\

TIB Browser Object Recognized!
Type : File
Data : 127062.exe
TAC Rating : 6
Category : Dialer
Comment :
Object : C:\Program Files\WebSiteViewer\

VX2 Object Recognized!
Type : File
Data : -1.exe
TAC Rating : 10
Category : Malware
Comment :
Object : C:\TEMP\
FileVersion : 2, 0, 1, 8
ProductVersion : 2, 0, 1, 8
ProductName : Thinstaller
CompanyName : BetterInternet, Inc.
FileDescription : www.abetterinternet.com - Utility for downloading files and upgrading software.
InternalName : Install Utility
LegalCopyright : BetterInternet, Inc. © 2005
OriginalFilename : Thinstaller.exe
Comments : Utility for downloading files and upgrading software. Visit www.abetterinternet.com for more info.

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 58

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 58
7:26:29 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:56.414
Objects scanned:58696
Objects identified:54
Objects ignored:0
New critical objects:54

AFTER-
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, June 21, 2005 7:28:04 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R50 13.06.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

6-21-05 7:28:04 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [delldmi.exe]
FilePath : C:\DMI\bin\
ProcessID : 68
ThreadCreationTime : 6-21-05 2:49:53 PM
BasePriority : Normal

#:2 [nddeagnt.exe]
FilePath : C:\WINNT\System32\
ProcessID : 96
ThreadCreationTime : 6-21-05 2:49:53 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Network DDE Agent
InternalName : NDDEAGNT.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : NDDEAGNT.EXE

#:3 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 107
ThreadCreationTime : 6-21-05 2:49:55 PM
BasePriority : Normal
FileVersion : 4.00
ProductVersion : 4.00
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1991-1995
OriginalFilename : EXPLORER.EXE

#:4 [dnar.exe]
FilePath : C:\DMI\bin\
ProcessID : 187
ThreadCreationTime : 6-21-05 2:50:06 PM
BasePriority : Normal

#:5 [ddhelp.exe]
FilePath : C:\WINNT\System32\
ProcessID : 280
ThreadCreationTime : 6-21-05 4:25:44 PM
BasePriority : Normal
FileVersion : 4.04
ProductVersion : 4.04
ProductName : Microsoft® Windows NT(tm) Operating System
CompanyName : Microsoft Corporation
FileDescription : Direct Draw Helper
InternalName : ddhelp
LegalCopyright : Copyright © Microsoft Corp. 1981-1996
OriginalFilename : ddhelp

#:6 [iexplore.exe]
FilePath : C:\PROGRA~1\Plus!\MICROS~1\
ProcessID : 291
ThreadCreationTime : 6-21-05 11:46:56 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:7 [tmp.exe]
FilePath : C:\Program Files\DNS\
ProcessID : 267
ThreadCreationTime : 6-22-05 2:22:39 AM
BasePriority : Normal
FileVersion : 3, 1, 0, 15
Comments : http://www.autoitscript.com/autoit3/compiled.html

#:8 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 249
ThreadCreationTime : 6-22-05 2:23:17 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : slotch.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Vulnerability
Comment : Trusted zone presumably compromised : slotch.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\slotch.com
Trusted zone presumably compromised : xxxtoolbar.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Vulnerability
Comment : Trusted zone presumably compromised : xxxtoolbar.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\xxxtoolbar.com
Trusted zone presumably compromised : clickspring.net

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Vulnerability
Comment : Trusted zone presumably compromised : clickspring.net
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net
Trusted zone presumably compromised : mt-download.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Vulnerability
Comment : Trusted zone presumably compromised : mt-download.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com
Trusted zone presumably compromised : searchmiracle.com

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Vulnerability
Comment : Trusted zone presumably compromised : searchmiracle.com
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchmiracle.com
Trusted zone presumably compromised : slotch.com

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5
7:30:54 PM Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:49.594
Objects scanned:58647
Objects identified:5
Objects ignored:0
New critical objects:5

Here also are the before and after logs for HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:38:06 PM, on 6/21/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nst256.dll
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) -
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

After re-booting:
Logfile of HijackThis v1.99.1
Scan saved at 7:48:31 PM, on 6/21/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\System32\sex.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\System32\sex.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

AH

AtomHeart · « **Reply #12 on:** June 21, 2005, 10:05:48 PM »

[quote name=\'guestolo\' date=\'Jun 20 2005, 06:53 PM\']Is Norton's AV running properly?
It looks like the Run entries are missing, you may have to resort to uninstalling it and reinstalling

Not sure why I can't see your running processes in your log
Seen this happen with other Windows NT logs
Can you also do the following
Open Hijackthis>>Open Misc tools Section>>Open Process Manager
In the Process manager can you click on the Floppy disk icon (Save list to file)
Save the list to desktop and copy and paste it back here

Well your in Misc tools section could you also
click on Hosts File Manager
Click the "Open in Notepad"
A text file should open, can you copy and paste back the whole contents of the Hosts text file too, thanks

[post=\"45883\"]<{POST_SNAPBACK}>[/post]

[/quote]

As to Norton, it seems as if all the application files are missing from the folders. Nothing but logs remain.

As to HJT, here's the process list you've requested:
Process list saved on 7:50:41 PM, on 6/21/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)

[pid]   [full path to filename]      [file version]   [company name]
80   C:\DMI\bin\delldmi.exe
97   C:\WINNT\System32\nddeagnt.exe      4.0.1381.164   Microsoft Corporation
108   C:\WINNT\explorer.exe      4.0.1381.282   Microsoft Corporation
179   C:\DMI\bin\dnar.exe
122   C:\PROGRAM\HijackThis.exe      1.99.0.1   Soeperman Enterprises Ltd.

As to the Hosts File Manager, it's blank.

Thanks again.

AH

guestolo · « **Reply #13 on:** June 22, 2005, 12:31:51 AM »

Atom, I have to go now, but I'll do a followup tomorrow
Thanks for your patience

AtomHeart · « **Reply #14 on:** June 22, 2005, 02:08:58 PM »

Thank you...

AH

guestolo · « **Reply #15 on:** June 22, 2005, 11:05:20 PM »

Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Important>>Change the Save as Type to All Files.
Name the file as Deltrusted.reg

Save this file on the desktop
We'll need this later

Code: [Select]

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Download and Unzip The Hoster to a folder

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions below to a Notepad file
Start>>RUN>>type in notepad
Hit OK

Disconnect from the Internet, refer to the instructions saved to Notepad for reference

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Double click on Deltrusted.reg and allow to add or merge to the registry

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the instructions and copy the file paths below to the clipboard by highlighting ALL of them and pressing
CTRL + C

[color=\"purple\"]Killbox file paths to copy to clipboard between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\system32\perfcii.ini
C:\WINNT\System32\sex.exe
C:\WINNT\System32\nsz15C.dll
C:\WINNT\System32\ap2nqrd4.dat
C:\WINNT\System32\exclean.exe
C:\WINNT\usta33.ini
C:\WINNT\unstall.exe
C:\WINNT\System32\a95kfrhe.ini
C:\WINNT\exdl.exe
C:\WINNT\System32\nsz15C.dll
C:\WINNT\System32\ie2cltr.dll
C:\TEMP\ExtractDLL.dll
C:\WINNT\drexinit.dll
C:\TEMP\directrevenue.id
C:\WINNT\Profiles\wriddle\Favorites\1111
C:\WINNT\System32\vx.tll
C:\WINNT\System32\wirl.dll
C:\WINNT\FONTS\web.exe
C:\WINNT\SYSTEM32\nsr5.dll
C:\WINNT\SYSTEM32\nsn53.dll
C:\WINNT\SYSTEM32\nsd124.dll
C:\WINNT\SYSTEM32\audissrp.exe
C:\WINNT\SYSTEM32\max3548.dll
C:\WINNT\SYSTEM32\fixmapirs.exe
C:\WINNT\SYSTEM32\docntrop.dll
C:\WINNT\SYSTEM32\jltD3D.dll
C:\WINNT\SYSTEM32\nsl6F.dll
C:\WINNT\SYSTEM32\nsw81.dll
C:\WINNT\SYSTEM32\nscB9.dll
C:\WINNT\SYSTEM32\nsp42.dll
C:\WINNT\SYSTEM32\ie2cltr.dll
C:\WINNT\SYSTEM32\nsv93.dll
C:\WINNT\SYSTEM32\spkwz.dll
C:\WINNT\SYSTEM32\nsi2.dll
C:\WINNT\SYSTEM32\exdl.exe
C:\WINNT\SYSTEM32\nskEF.dll
C:\WINNT\SYSTEM32\mac80ex.idf[msbe.dll]
C:\WINNT\SYSTEM32\mac80ex.idf[Uninstall.exe]
C:\WINNT\SYSTEM32\mac80ex.idf[bargains.exe]
C:\WINNT\SYSTEM32\mac80ex.idf[adv.exe]
C:\WINNT\SYSTEM32\mac80ex.idf[adx.exe]
C:\WINNT\SYSTEM32\nst91.dll
C:\WINNT\SYSTEM32\spcgw.dll
C:\WINNT\SYSTEM32\nsu142.dll
C:\WINNT\SYSTEM32\nsu2.dll
C:\WINNT\SYSTEM32\exdl0.exe
C:\WINNT\SYSTEM32\mqexdlm.srg
C:\WINNT\SYSTEM32\exclean.exe
C:\WINNT\SYSTEM32\exdl1.exe
C:\WINNT\SYSTEM32\nsf9E.dll
C:\WINNT\SYSTEM32\nsz15C.dll
C:\WINNT\SYSTEM32\netut80ex.vxd[exdl.exe]
C:\WINNT\SYSTEM32\netut80ex.vxd[mqexdlm.srg]
C:\WINNT\SYSTEM32\netut80ex.vxd[exul.exe]
C:\WINNT\SYSTEM32\netut80ex.vxd[javexulm.vxd]
C:\WINNT\SYSTEM32\netut80ex.vxd[msexreg.exe]
C:\WINNT\SYSTEM32\netut80ex.vxd[exclean.exe]
C:\WINNT\SYSTEM32\iapb.dll
C:\WINNT\hwfysvc.exe
C:\WINNT\ojtrenc.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\CxtPls\ProxyStub.dll
C:\Program Files\CxtPls\WinGenerics.dll
C:\Program Files\CxtPls\uninstaller.exe
C:\setup4002b.ini
C:\webinstaller.dll
C:\WINNT\system32\cidft.dll
C:\WINNT\system32\cidpog32.dll
C:\WINNT\system32\gupd.dll
C:\WINNT\system32\hst32.dll
C:\WINNT\System32\cidpoq32.dll
C:\WINNT\System32\nthst32.dll
C:\WINNT\system32\icnfe.dll
C:\WINNT\system32\icqrt.dll
C:\WINNT\system32\icvbr.dll
C:\WINNT\system32\sdfup.dll
C:\WINNT\system32\wcnl32.dll
C:\WINNT\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\WINNT\system32\xcwer32.dll
C:\WINNT\system32\zxmsn.dll
C:\WINNT\system32\thun.dll
C:\WINNT\System32\thun32.dll
C:\WINNT\system32\rch32.dll

====================================================

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Don't worry about any file not found messages

If your computer does not restart automatically, please restart it manually.

After the restart and back in Windows
Stay disconnected from the Internet

Find and delete these folders if found
C:\Program Files\CxtPls
C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\WINNT\SYSTEM32\Log Files

Open Hoster and
Press "Restore Original Hosts" and press "OK".
Then Exit

Do another scan with Hijackthis and put a check next to these entries:
Not all may exist, but take a look

O4 - HKLM\..\Run: [Windows Service] C:\WINNT\System32\sex.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\System32\sex.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer one more time

Back in windows
Run another scan at Panda's
Ensure you have it set to Autoclean
Restart your computer if anything was repaired or deleted

Back in Windows
Post the new report from Panda's

Also run another scan with Hijackthis and post a fresh log

AtomHeart · « **Reply #16 on:** June 23, 2005, 10:33:03 PM »

a)
Everything worked fine up past downloading killbox. However at the add/remove programs phase, I got an Uninstaller Error as follows:

"An error occurred while trying to remove SecurityiGuard. Uninstallation has been canceled"

BTW, neither Virtual Maid nor Search Maid appeared.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Was able to merge Deltrusted, no problem, in addition to running Windows Cleanup! (I had to download it, as it wasn't included within the programs in this computer.)

c)
When running Killbox, I received the following error message:
"Run-Time error '453': Can't find DLL entry point Create Toolhelp32 snapshot in kernel32"

Therefore I was unable to follow any of the following Killbox file path commands

d)
As to finding and deleting folders, only the SecurityIGuard program was installed, which I of course deleted.

e)
Ran Hoster as instructed. No problems.

f)
Deleted the entries in HJT as instructed, but they've been re-installed (refer to below HJT log)

g)
Ran Panda's. Following is the report:

Incident Status Location

Virus:W32/Admincash.B No disinfected Operating system
Adware:Adware/Beginto No disinfected C:\WINNT\System32\nsgAF.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\System32\cache32_rtneg?
Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINNT\System32\nsgAF.dll
Adware:Adware/SuperSpider No disinfected C:\WINNT\msxmidi.exe
Adware:Adware/Pacimedia No disinfected C:\WINNT\Profiles\wriddle\Favorites\1111\1111.url
Adware:Adware/Admess No disinfected Windows Registry
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\System32\dload.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\MaxiFiles
Adware:Adware/BigTrafficNet No disinfected Windows Registry
Adware:Adware/SpySheriff No disinfected C:\winstall.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsz64.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsr155.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsk2.dll
Adware:Adware/Coolmegasearch No disinfected C:\WINNT\SYSTEM32\talM32SBA.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsi24A.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\SYSTEM32\sex.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsc23E.dll
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\SYSTEM32\dload.exe
Adware:Adware/Maxifiles No disinfected C:\WINNT\SYSTEM32\mc-58-12-0000093.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsf2B8.dll
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nst29C.dll
Virus:W32/Admincash.B Disinfected C:\WINNT\SYSTEM32\f5aea500.exe
Adware:Adware/Beginto No disinfected C:\WINNT\SYSTEM32\nsgAF.dll
Virus:W32/Admincash.B Disinfected C:\WINNT\SYSTEM32\web.exe
Adware:Adware/SpywareNo No disinfected C:\WINNT\Fonts\sefe.exe
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\Fonts\sex.exe
Adware:Adware/SpywareNo No disinfected C:\WINNT\Profiles\hsmith\Desktop\sefe.exe
Adware:Adware/Pacimedia No disinfected C:\WINNT\Profiles\wriddle\Favorites\1111\1111.url
Adware:Adware/Startpage.AAO No disinfected C:\WINNT\Profiles\wriddle\Desktop\sex.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Profiles\wriddle\Desktop\convert.exe
Adware:Adware/ISearch No disinfected C:\WINNT\Profiles\wriddle\Desktop\eare.exe
Adware:Adware/SpywareNo No disinfected C:\WINNT\Profiles\wriddle\Desktop\sefe.exe
Virus:W32/Admincash.B No disinfected C:\WINNT\EXPLORER.EXE
Virus:W32/Admincash.B Disinfected C:\WINNT\msxmidi.exe
Virus:W32/Admincash.B Disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\soft.exe
Adware:Adware/2Z0o No disinfected C:\WINNT\hwfysvc.exe
Adware:Adware/2Z0o No disinfected C:\WINNT\ojtrenc.exe
Virus:VBS/Bagle.Q Disinfected C:\q123.vbs
Virus:W32/Admincash.B Disinfected C:\web.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/SpywareNo No disinfected C:\Program Files\SpySheriff\ProcMon.dll
Adware:Adware/SAHAgent No disinfected C:\setup4002b.ini

h)
Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:05 PM, on 6/23/05
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\Program Files\DNS\Catcher.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINNT\System32\nsw2.dll
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marcomarine.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 206.81.192.1 204.147.80.5
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: dmisrv - Unknown owner - C:\DMI\bin\dmisrv.exe
O23 - Service: 3Com dRMON SmartAgent PC Software (dRMON SmartAgent) - 3Com Corp. - C:\WINNT\System32\drmon\smartagt\smartagt.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: OracleClientCache80 - Unknown owner - D:\Oracle\oratools\BIN\ONRSD80.EXE
O23 - Service: Win32sl - Intel - C:\DMI\bin\win32sl.exe

I really do appreciate all the time and effort you've been undergoing on my behalf. I swear to you, I'll figure out a way of contributing...

Thanks again.

AH

AtomHeart · « **Reply #17 on:** June 23, 2005, 10:41:36 PM »

I've also noticed the following problems, which are re-occurring constantly throughout:

A file called "Tasks" keeps re-appearing on my desktop. It's file type is simply "file". It appears under my Winnt\profiles\personal desktop directory. If I delete it, it simply reappears very shortly thereafter. Once it appears, then that's when all the ugly stuff starts to happen; i.e. dialers, etc. Following are some of the problems that seem to re-occur when this happens:

1)
A dialer called "127062.dlr" keeps engaging. If I delete it, it simply re-appears after the aforementioned "Tasks" file re-appears. Then applications called "sex" and "sex2" start processing.

2)
There's a version of explorer.exe that's installed on C:\Winnt that somehow came from this nasty virus.

3)
There's a registry entry folder that also keeps re-appearing called "Doc Find Spec MRU". Again, if I delete it, it simply re-appears.

Regards,

AH

guestolo · « **Reply #18 on:** June 25, 2005, 05:30:41 PM »

This is going to be a tough one, but can you please do the following

Access your Add/Remove programs and remove if found
SpySheriff

Next:Explorer.exe appears to be infected
Panda's usually disinfects it, but not this time
Mind you with Explorer.exe running, it would have a hard time disinfecting it
We must get you a program to aid in the removal
Can you make your way to the link I supplied and follow Calamity Jane's advice on how to install and run KAV Personal 5.0 Trial
http://forums.subratam.org/index.php?showtopic=3466
She has supplied direct download links for the Trial version

Don't forget to save the log after you run it
Also, at the point to start into safe mode
Because your running Windows NT, you will have to choose VGA mode on startup

We will have more cleaning to do afterwards
So when you have done the above
Post a fresh Hijackthis log and also include the Report from Kaspersky's

Remember the important steps from the link supplied
End task on Explorer.exe by using your taskmanager before running Kapersky's
Disable your AV you have installed now, this may even include uninstalling Symantec's if it gets in the way

News:

Author Topic: everydaypain.info, tasks file, etc. (Read 2840 times)