CoolWebSearch has taken over!

kkiesel · February 2006

Process list saved on 4:21:45 PM, on 2/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
744 C:\WINDOWS\System32\smss.exe 5.1.2600.1106 Microsoft Corporation
852 C:\WINDOWS\system32\winlogon.exe 5.1.2600.1106 Microsoft Corporation
896 C:\WINDOWS\system32\services.exe 5.1.2600.0 Microsoft Corporation
908 C:\WINDOWS\system32\lsass.exe 5.1.2600.1106 Microsoft Corporation
1080 C:\WINDOWS\system32\svchost.exe 5.1.2600.0 Microsoft Corporation
1124 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
1476 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.1699 Microsoft Corporation
1580 C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe 7.1.0.365 GRISOFT, s.r.o.
1592 C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe 7.1.0.349 GRISOFT, s.r.o.
1636 C:\Program Files\ewido anti-malware2\ewidoctrl.exe 3.0.0.1 ewido networks
1652 C:\Program Files\ewido anti-malware2\ewidoguard.exe 3.0.0.1 ewido networks
1736 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
360 C:\WINDOWS\Explorer.EXE 6.0.2800.1106 Microsoft Corporation
456 C:\WINDOWS\System32\hkcmd.exe 3.0.0.2285 Intel Corporation
464 C:\Program Files\Yahoo!\browser\ybrwicon.exe 2003.7.11.1 Yahoo!, Inc.
480 C:\Program Files\BroadJump\Client Foundation\CFD.exe 2.0.9.19
500 C:\PROGRA~1\Yahoo!\browser\ycommon.exe 2003.7.14.1 Yahoo!, Inc.
512 C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe 5.8.0.13 Visual Networks
528 C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe 5.8.0.13 Visual Networks
552 C:\Program Files\iTunes\iTunesHelper.exe 4.7.0.42 Apple Computer, Inc.
596 C:\Program Files\QuickTime\qttask.exe 6.5.1.17 Apple Computer, Inc.
676 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE 1.0.0.245 DeviceGuys
688 C:\Program Files\iPod\bin\iPodService.exe 4.7.0.42 Apple Computer, Inc.
1060 C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe 7.1.0.355 GRISOFT, s.r.o.
1856 C:\Program Files\Lexmark X125\LEX125SU.exe 1.0.0.8 Lexmark International
212 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe 13.0.4.7 Intuit, Inc.
3500 C:\Program Files\Mozilla Firefox\firefox.exe 1.8.20060.11112 Mozilla Corporation
2756 C:\Program Files\Messenger\MSMSGS.EXE 4.7.0.2010 Microsoft Corporation
3672 C:\WINDOWS\System32\taskmgr.exe 5.1.2600.1106 Microsoft Corporation
1356 C:\WINDOWS\System32\wuauclt.exe 5.8.0.2469 Microsoft Corporation
616 C:\HijackThis\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.

kkiesel · February 2006

SilentRunners log:

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."]
"BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
"IPInSightLAN 03" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"]
"IPInSightMonitor 03" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"LMPDPSRV" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE" ["DeviceGuys"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["TODO: <Company name>"]
"{45994ec6-2fe3-11d4-aace-00c04f9908b1}" = "Lexmark X125"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\LMBGShEx.dll" ["DeviceGuys"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware2\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware2\context.dll" ["ewido networks"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware2\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Enabled Screen Saver:

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "New Admin" & "All Users" startup folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Lexmark X125 Settings Utility" -> shortcut to: "C:\Program Files\Lexmark X125\LEX125SU.exe" ["Lexmark International"]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{D7F30B62-8269-41AF-9539-B2697FA7D77E}" = "Pop-Up Blocker"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\EarthLink TotalAccess\PnEL.dll" ["EarthLink, Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2499216C-4BA5-11D5-BD9C-000103C116D5}\
"ButtonText" = "Yahoo! Login"
"MenuText" = "Yahoo! Login"
"CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware2\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware2\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.

(total run time: 193 seconds, including 19 seconds for message boxes)

Trogan · February 2006

Silent Runners is not showing anything bad.

I would suggest uninstalling Ewido as it is not needed right now and it may free up resources, which should hopefully speed things up.

kkiesel · February 2006

I'm just about to download AVG Antivirus to the desktop of the new user. Is there anything else you can recommend in addition to AVG (or in place of it), ewido and Ad-Aware to keep this computer bug-free?

kkiesel · February 2006

Decided to run a scan with ewido before deleting it. Any idea how all this stuff got here?

ewido anti-malware - Scan report

+ Created on: 5:32:42 PM, 2/10/2006
+ Report-Checksum: 35DB3C60

+ Scan result:

:mozilla.14:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.15:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.16:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.17:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.18:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.19:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.22:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.23:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.31:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.55:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.56:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.57:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.58:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.61:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\9bop1m5w.default\cookies.txt -> TrackingCookie.Realcastmedia : Cleaned with backup
:mozilla.16:C:\Documents and Settings\New Admin\Application Data\Mozilla\Firefox\Profiles\sn1st5e5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\New Admin\Application Data\Mozilla\Firefox\Profiles\sn1st5e5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@banners.searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Earthlink\6.0\chriscsotty@earthlink.net\Cookies\owner@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\te1ka1oc.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-854245398-1060284298-1003\Dc45\mm4.exe -> Logger.Delf.ig : Cleaned with backup
C:\RECYCLER\S-1-5-21-776561741-854245398-1060284298-1003\Dc45\mm4.exe.bak -> Logger.Delf.ig : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup

::Report End

kkiesel · February 2006

Grrrrrrrr....And here's the Ad-Aware SE logfile from the scan I just completed:

Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, February 10, 2006 5:41:27 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R91 08.02.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Adware.Z-Quest(TAC index:4):2 total references
CmdServices(TAC index:4):8 total references
CoolWebSearch(TAC index:10):9 total references
e2give(TAC index:7):5 total references
MRU List(TAC index:0):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

2-10-2006 5:41:27 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\New Admin\recent
Description : list of recently opened documents

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension

MRU List Object Recognized!
Location: : S-1-5-21-776561741-854245398-1060284298-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 744
ThreadCreationTime : 2-10-2006 7:52:29 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 828
ThreadCreationTime : 2-10-2006 7:52:31 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 852
ThreadCreationTime : 2-10-2006 7:52:38 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 896
ThreadCreationTime : 2-10-2006 7:52:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 2-10-2006 7:52:41 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1080
ThreadCreationTime : 2-10-2006 7:52:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1124
ThreadCreationTime : 2-10-2006 7:52:44 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1256
ThreadCreationTime : 2-10-2006 7:52:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1280
ThreadCreationTime : 2-10-2006 7:52:46 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1476
ThreadCreationTime : 2-10-2006 7:52:49 PM
BasePriority : Normal
FileVersion : 5.1.2600.1699 (xpsp2.050610-1533)
ProductVersion : 5.1.2600.1699
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:11 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1580
ThreadCreationTime : 2-10-2006 7:52:51 PM
BasePriority : Normal
FileVersion : 7,1,0,365
ProductVersion : 7.1.0.365
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1592
ThreadCreationTime : 2-10-2006 7:52:51 PM
BasePriority : Normal
FileVersion : 7,1,0,349
ProductVersion : 7.1.0.349
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido anti-malware2\
ProcessID : 1636
ThreadCreationTime : 2-10-2006 7:52:51 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:14 [ewidoguard.exe]
FilePath : C:\Program Files\ewido anti-malware2\
ProcessID : 1652
ThreadCreationTime : 2-10-2006 7:52:51 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:15 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1736
ThreadCreationTime : 2-10-2006 7:52:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 360
ThreadCreationTime : 2-10-2006 7:53:26 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:17 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 456
ThreadCreationTime : 2-10-2006 7:53:52 PM
BasePriority : Normal
FileVersion : 3.0.0.2285
ProductVersion : 7.0.0.2285
ProductName : Intel(R) Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:18 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ProcessID : 464
ThreadCreationTime : 2-10-2006 7:53:53 PM
BasePriority : Normal
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
ProductName : Yahoo!, Inc. YBrwIcon
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
LegalCopyright : Copyright © 2003
OriginalFilename : YBrwIcon.exe

#:19 [cfd.exe]
FilePath : C:\Program Files\BroadJump\Client Foundation\
ProcessID : 480
ThreadCreationTime : 2-10-2006 7:54:02 PM
BasePriority : Normal

#:20 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ProcessID : 500
ThreadCreationTime : 2-10-2006 7:54:04 PM
BasePriority : Normal
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
ProductName : YCommon Exe Module
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
LegalCopyright : Copyright 2003 Yahoo! Inc.
OriginalFilename : YCommon.EXE

#:21 [ipclient.exe]
FilePath : C:\Program Files\Visual Networks\Visual IP InSight\SBC\
ProcessID : 512
ThreadCreationTime : 2-10-2006 7:54:06 PM
BasePriority : Normal
FileVersion : 5.8.0.13
ProductVersion : 5.8.0.13
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Session Statistics
InternalName : IPCLIENT
LegalCopyright : Copyright © 2003 Visual Networks Technologies, Inc.
OriginalFilename : ipclient32.exe

#:22 [ipmon32.exe]
FilePath : C:\Program Files\Visual Networks\Visual IP InSight\SBC\
ProcessID : 528
ThreadCreationTime : 2-10-2006 7:54:08 PM
BasePriority : Normal
FileVersion : 5.8.0.13
ProductVersion : 5.8.0.13
ProductName : Visual IP InSight
CompanyName : Visual Networks
FileDescription : IP Monitor
InternalName : IPMON32
LegalCopyright : Copyright © 2003 Visual Networks Technologies, Inc.
OriginalFilename : ipmon32.exe

#:23 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 552
ThreadCreationTime : 2-10-2006 7:54:10 PM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:24 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 596
ThreadCreationTime : 2-10-2006 7:54:13 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:25 [lmpdpsrv.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 676
ThreadCreationTime : 2-10-2006 7:54:18 PM
BasePriority : Normal
FileVersion : 1.0.0.245
ProductVersion : 1.0.0.245
ProductName : Printer Driver Plus
CompanyName : DeviceGuys
FileDescription : PDP RPC Server
InternalName : PDPserver
LegalCopyright : Copyright© DeviceGuys, Inc. 1996-2002
OriginalFilename : PDPserve.dll

#:26 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 688
ThreadCreationTime : 2-10-2006 7:54:21 PM
BasePriority : Normal
FileVersion : 4.7.0.42
ProductVersion : 4.7.0.42
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:27 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ProcessID : 1060
ThreadCreationTime : 2-10-2006 7:54:32 PM
BasePriority : Normal
FileVersion : 7,1,0,355
ProductVersion : 7.1.0.355
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:28 [lex125su.exe]
FilePath : C:\Program Files\Lexmark X125\
ProcessID : 1856
ThreadCreationTime : 2-10-2006 7:55:22 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 8
ProductName : Lexmark X125
CompanyName : Lexmark International
FileDescription : Lexmark X125 Settings Utility
InternalName : CPQMFP
LegalCopyright : Copyright (c) 2002
OriginalFilename : CPQMFP.EXE
Comments : Softeq Development Corporation

#:29 [qbupdate.exe]
FilePath : C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\
ProcessID : 212
ThreadCreationTime : 2-10-2006 7:55:41 PM
BasePriority : Normal
FileVersion : 13.0 R7
ProductVersion : 13.0 R7
ProductName : QuickBooks
CompanyName : Intuit, Inc.
FileDescription : QBUpdate Module
InternalName : QBUpdate
LegalCopyright : Copyright © Intuit, Inc. 1993-2003.
OriginalFilename : QBUpdate.exe

#:30 [firefox.exe]
FilePath : C:\Program Files\Mozilla Firefox\
ProcessID : 3500
ThreadCreationTime : 2-10-2006 7:56:48 PM
BasePriority : Normal

#:31 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2756
ThreadCreationTime : 2-10-2006 8:14:38 PM
BasePriority : Normal
FileVersion : 4.7.2010
ProductVersion : Version 4.7
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2003
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:32 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1356
ThreadCreationTime : 2-10-2006 8:55:58 PM
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:33 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 760
ThreadCreationTime : 2-10-2006 10:40:07 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 9

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CmdServices Object Recognized!
Type : File
Data : cmdinst.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\Documents and Settings\Owner\Local Settings\Temp\
FileVersion : 1.0.1
CompanyName :
FileDescription : Command Desktop Setup
LegalCopyright :
Comments : This installation was built with Inno Setup: http://www.innosetup.com

CoolWebSearch Object Recognized!
Type : File
Data : A0137971.dll
TAC Rating : 10
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP264\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Replace Module
FileDescription : Replace Module
InternalName : Replace
LegalCopyright : Copyright 2003
OriginalFilename : Replace.DLL

e2give Object Recognized!
Type : File
Data : A0137972.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP264\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin

CoolWebSearch Object Recognized!
Type : File
Data : MFEX-1.DAT
TAC Rating : 10
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP264\snapshot\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Replace Module
FileDescription : Replace Module
InternalName : Replace
LegalCopyright : Copyright 2003
OriginalFilename : Replace.DLL

e2give Object Recognized!
Type : File
Data : MFEX-4.DAT
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP264\snapshot\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin

CoolWebSearch Object Recognized!
Type : File
Data : A0143981.dll
TAC Rating : 10
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP266\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Replace Module
FileDescription : Replace Module
InternalName : Replace
LegalCopyright : Copyright 2003
OriginalFilename : Replace.DLL

CoolWebSearch Object Recognized!
Type : File
Data : A0143982.dll
TAC Rating : 10
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP266\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Replace Module
FileDescription : Replace Module
InternalName : Replace
LegalCopyright : Copyright 2003
OriginalFilename : Replace.DLL

e2give Object Recognized!
Type : File
Data : A0144130.dll
TAC Rating : 7
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP266\
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : e2g plugin
CompanyName : e2give, LLC
FileDescription : http://e2give.com/license.html
InternalName : IeBHOs.dll
LegalCopyright : Copyright © 2003 e2give, LLC
OriginalFilename : IeBHOs.dll
Comments : e2g plugin

CoolWebSearch Object Recognized!
Type : File
Data : A0147281.dll
TAC Rating : 10
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP267\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Replace Module
FileDescription : Replace Module
InternalName : Replace
LegalCopyright : Copyright 2003
OriginalFilename : Replace.DLL

Adware.Z-Quest Object Recognized!
Type : File
Data : A0151397.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\System Volume Information\_restore{2E836F05-749D-468A-863C-80EA5F3C5A29}\RP280\

Adware.Z-Quest Object Recognized!
Type : File
Data : WinDy.exe
TAC Rating : 4
Category : Adware
Comment :
Object : C:\WINDOWS\

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
65 entries scanned.
New critical objects:0
Objects found so far: 20

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CmdServices Object Recognized!
Type : Regkey
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : DisplayName

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : DisplayVersion

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoModify

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoRemove

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : NoRepair

CmdServices Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Adware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\downloadmanager

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : File
Data : wbemess.log
TAC Rating : 10
Category : Malware
Comment :
Object : C:\WINDOWS\System32\wbem\logs\

e2give Object Recognized!
Type : File
Data : data.~
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\System32\

e2give Object Recognized!
Type : File
Data : log.~
TAC Rating : 7
Category : Malware
Comment :
Object : C:\WINDOWS\System32\

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 33

5:56:54 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:15:26.743
Objects scanned:105136
Objects identified:24
Objects ignored:0
New critical objects:24

Trogan · February 2006

Can you download these tools please:

Spybot Search & Destroy
SpywareBlaster

Both can be found here

Update them both and scan with SpyBot.

Reboot and let us know how things are.

kkiesel · February 2006

Ran SpyBot with System Restore off. It found 27 infections of varying nastiness, most of which I had never heard of before, although NewDotNet made another appearance. I haven't had a chance to run SpywareBlaster yet, but I will as soon as I get back to work on Monday. Will let you know then how the system is. Excellent advice! Thanks once again!

--kkiesel

Trogan · February 2006

Please do not turn system restore off. Should anything go wrong, there will be no working restore to go back to.

If Spybot found NewDotNet, then please post a new HJT log.

Its seems to me that the best thing would be to transfer everything that is needed to the new account and backup anything else. Then, completly delete the old account. Don't do this yet, wait and see what prof says first.