dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
897
dafficus
join:2004-06-02
Overland Park, KS

dafficus

Member

Sexdial has infected my computer

I recently was infected by some spyware that I will call "SEXDIAL" because it deposited an Icon on my desktop of the same name. I tried to delete it but it keeps returning. I am a regular user of Ad-Aware 6.0 which did NOT detect nor repair this spyware. I also own Spy Sweeper by Webroot and it is also ineffective.

1) The Spyware has rendered my Internet Explorer 6.0 useless. Most of my links on my IE 6 browser toolbar no longer work. The first page may work but on the subsequent pages I get a "This page can not be displayed".

2) In addition I get a Icon called Sexdial on my desktop. When I click properties, then Target, I get: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" »www.casinopalazzo.com/index.php?source.. .

3) About every 5 minutes Internet Explorer will open a new web page (regardless of whether the browser is already open or not) and take me to a web page www.casinopalazzo.com, a web page that offers internet gambling by a company in the Antilles.

4) My browser home page is highjacked and redirected to some page I have never heard of.

5) Currently I can use my other browser "Mozilla Firefox" without incident. I have no idea what other problems will develop on my computer. I recently ran Ad-aware and have posted the Show log below.

Per the request of Calamity Jane I have also included my hijack this results.

Please help me!

Thanks very much!
dafficus

My ad-aware 6.181 Show log is as follows:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, June 02, 2004 10:38:44 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R314 02.06.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R314 02.06.2004
Internal build : 246
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1201492 Bytes
Signature data size : 1181377 Bytes
Reference data size : 20051 Bytes
Signatures total : 26331
Target categories : 10
Target families : 491

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:46 %
Total physical memory:523264 kb
Available physical memory:239580 kb
Total page file size:1280120 kb
Available on page file:1065772 kb
Total virtual memory:2097024 kb
Available virtual memory:2057412 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

6-2-2004 10:38:44 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-3-2004 2:20:51 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:20:53 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:20:53 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 9/3/2002 4:59:11 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 4:59:11 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:20:53 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 9/3/2002 4:39:51 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 4:39:51 PM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:20:54 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 5:05:32 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:20:54 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 5:05:32 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-3-2004 2:20:56 AM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 3:12:10 AM
Last accessed : 6/3/2004 3:23:31 AM
Last modified : 5/12/2003 3:12:10 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:20:56 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 9/3/2002 5:04:18 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 5:04:18 PM

#:9 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-3-2004 2:20:56 AM
BasePriority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 5/21/2003 3:33:18 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 11/13/2002 9:44:02 PM

#:10 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 6-3-2004 2:20:58 AM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 2, 0, 0, 33
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 12/13/2002 9:05:08 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 5/15/2003 8:22:36 PM

#:11 [ybrwicon.exe]
FilePath : C:\Program Files\Yahoo!\browser\
ThreadCreationTime : 6-3-2004 2:20:58 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2003, 7, 11, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Yahoo!, Inc.
FileDescription : YBrwIcon
InternalName : YBrwIcon
OriginalFilename : YBrwIcon.exe
ProductName : Yahoo!, Inc. YBrwIcon
Created on : 9/17/2003 11:41:58 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 7/11/2003 7:51:16 PM

#:12 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 6-3-2004 2:20:58 AM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 12/23/2003 3:30:13 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 12/23/2003 3:30:13 AM

#:13 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ThreadCreationTime : 6-3-2004 2:20:58 AM
BasePriority : Normal
FileSize : 68 KB
FileVersion : 2,3,0,0\
ProductVersion : 2,3,0,0\
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
OriginalFilename : hpgs2wnd.exe
ProductName : Hewlett-Packard hpgs2wnd
Created on : 4/17/2002 4:42:56 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 4/17/2002 4:42:56 PM

#:14 [point32.exe]
FilePath : C:\Program Files\Microsoft Hardware\Mouse\
ThreadCreationTime : 6-3-2004 2:20:58 AM
BasePriority : Normal
FileSize : 172 KB
FileVersion : 4.10.0851.0
ProductVersion : 4.1
Copyright : Copyright (C) Microsoft Corp. 1983-2002
CompanyName : Microsoft Corporation
FileDescription : Microsoft IntelliPoint
InternalName : POINT32
OriginalFilename : POINT32.EXE
ProductName : Microsoft IntelliPoint
Created on : 4/11/2002 3:47:52 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 4/11/2002 3:47:52 PM

#:15 [hpztsb06.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 184 KB
FileVersion : 2,133,0,0
ProductVersion : 2,133,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2002
CompanyName : HP
ProductName : HP DeskJet
Created on : 5/21/2003 12:48:35 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 7/11/2002 12:06:23 PM

#:16 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 2, 0
ProductVersion : 1, 0, 2, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 8/14/2002 11:22:52 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 8/14/2002 11:22:52 PM

#:17 [ccapp.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 4/30/2004 1:04:12 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 12/2/2003 9:11:04 PM

#:18 [directcd.exe]
FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 5.3.5.10
ProductVersion : 5.3.5.10
Copyright : Copyright (c) 2001-2003, Roxio, Inc.
CompanyName : Roxio
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : Directcd.exe
ProductName : DirectCD
Created on : 12/17/2002 5:28:00 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/29/2003 2:22:04 AM

#:19 [devdetect.exe]
FilePath : C:\Program Files\Common Files\ACD Systems\EN\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 212 KB
FileVersion : 2, 0, 1, 6
ProductVersion : 2, 0, 1, 6
Copyright : Copyright
CompanyName : ACD Systems, Ltd.
FileDescription : Device Detector
InternalName : DevDetect
OriginalFilename : DevDetect.exe
ProductName : Device Detector
Created on : 11/26/2003 11:54:56 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 11/26/2003 11:54:56 PM

#:20 [ycommon.exe]
FilePath : C:\PROGRA~1\Yahoo!\browser\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 208 KB
FileVersion : 2003, 7, 14, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003 Yahoo! Inc.
CompanyName : Yahoo!, Inc.
FileDescription : YCommon Exe Module
InternalName : YCommonExe
OriginalFilename : YCommon.EXE
ProductName : YCommon Exe Module
Created on : 9/17/2003 11:41:18 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 7/14/2003 2:55:44 PM

#:21 [bcmsmmsg.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 3.5.25 08/27/2003 20:04:35
ProductVersion : 3.5.25 08/27/2003 20:04:35
Copyright : Copyright
CompanyName : Broadcom Corporation
FileDescription : Modem Messaging Applet
InternalName : smdmstat.exe
OriginalFilename : smdmstat.exe
ProductName : BCM Modem Messaging Applet
Created on : 8/29/2003 9:59:24 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 8/29/2003 9:59:24 AM

#:22 [weather.exe]
FilePath : C:\PROGRA~1\AWS\WEATHE~1\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 760 KB
FileVersion : 3, 0, 0, 18
ProductVersion : 3, 0, 0, 18
Copyright : Copyright
CompanyName : AWS Convergence Technologies, Inc.
FileDescription : WeatherBug
InternalName : Desktop Weather
OriginalFilename : WeatherBug.exe
ProductName : AWS, Inc.WeatherBug
Created on : 3/26/2004 3:55:30 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 12/19/2001 10:23:10 PM

#:23 [rundll32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 31 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft
Created on : 9/3/2002 4:56:58 PM
Last accessed : 6/3/2004 3:21:28 AM
Last modified : 9/3/2002 4:56:58 PM

#:24 [runwin32.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 11 KB
Created on : 5/31/2004 3:57:13 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 5/31/2004 3:57:13 AM

#:25 [wininet32.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 12 KB
Created on : 5/31/2004 3:57:14 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 5/31/2004 3:57:14 AM

#:26 [hpgs2wnf.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ThreadCreationTime : 6-3-2004 2:20:59 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 2, 6, 0,
ProductVersion : 2, 6, 0,
Copyright : Copyright 2001
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
OriginalFilename : hpgs2wnf.EXE
ProductName : hpgs2wnf Module
Created on : 4/17/2002 4:49:16 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 4/17/2002 4:49:16 PM

#:27 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ThreadCreationTime : 6-3-2004 2:21:00 AM
BasePriority : Normal
FileSize : 649 KB
FileVersion : 2.6.1.45
ProductVersion : 1.0.0.0
Copyright : Copyright (c) 2001-2003 Webroot Software, Inc.
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper
ProductName : Spy Sweeper
Created on : 5/31/2004 7:53:22 PM
Last accessed : 6/3/2004 3:21:28 AM
Last modified : 2/25/2004 4:48:26 PM

#:28 [sysdoc32.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 6-3-2004 2:21:00 AM
BasePriority : Idle
FileSize : 24 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton System Doctor
InternalName : SYSDOC32
OriginalFilename : SYSDOC32.EXE
ProductName : Norton Utilities
Created on : 5/21/2003 3:25:12 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 8/14/2002 11:03:00 AM

#:29 [webshotstray.exe]
FilePath : C:\Program Files\Webshots\
ThreadCreationTime : 6-3-2004 2:21:01 AM
BasePriority : Normal
FileSize : 204 KB
FileVersion : 1.3.0.3826
ProductVersion : 1.3.0.3826
Copyright : Copyright (C) 1998
CompanyName : The Webshots Corporation
FileDescription : Webshots Desktop Tray Application
InternalName : WEBSHOTSTRAY
OriginalFilename : WEBSHOTSTRAY.EXE
ProductName : Webshots Tray Application
Created on : 5/20/2003 3:08:14 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 6/21/2002 8:55:56 PM

#:30 [diagent.exe]
FilePath : C:\Program Files\Creative\SBLive\Diagnostics\
ThreadCreationTime : 6-3-2004 2:21:02 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 1, 1, 4, 0
ProductVersion : 1.01.04
Copyright : Copyright (C) 2002 Creative Technology Ltd
CompanyName : Creative Technology Ltd
FileDescription : Creative Diagnostics Agent
InternalName : Creative Diagnostics Agent
OriginalFilename : diagent.exe
ProductName : Creative Diagnostics Agent
Created on : 5/8/2003 7:25:26 AM
Last accessed : 6/3/2004 3:21:28 AM
Last modified : 4/3/2002 6:01:00 AM

#:31 [cisvc.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:21:13 AM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:50 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 4:28:50 PM

#:32 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:21:13 AM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
Copyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
OriginalFilename : CTsvcCDA.EXE
ProductName : Creative Service for CDROM Access
Created on : 5/8/2003 7:25:29 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 12/13/1999 6:01:00 AM

#:33 [gearsec.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:21:13 AM
BasePriority : Normal
FileSize : 60 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 12/1/2003 12:19:04 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 6/28/2002 1:09:52 PM

#:34 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 6-3-2004 2:21:13 AM
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 2/23/2001 3:07:30 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 2/23/2001 3:07:30 PM

#:35 [navapsvc.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton AntiVirus\
ThreadCreationTime : 6-3-2004 2:21:13 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 5/21/2003 3:33:09 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 11/15/2002 12:41:26 AM

#:36 [nprotect.exe]
FilePath : C:\Program Files\Norton SystemWorks\Norton Utilities\
ThreadCreationTime : 6-3-2004 2:21:20 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 16.00.0.22
ProductVersion : 16.00.0.22
Copyright : Copyright (C) 2003 Symantec Corporation
CompanyName : Symantec Corporation
FileDescription : Norton Protection Status
InternalName : NPROTECT
OriginalFilename : NPROTECT.EXE
ProductName : Norton Utilities
Created on : 5/21/2003 3:25:30 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 8/14/2002 11:03:00 AM

#:37 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:21:21 AM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 10/6/2003 7:16:00 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 10/6/2003 7:16:00 PM

#:38 [nopdb.exe]
FilePath : C:\PROGRA~1\NORTON~1\SPEEDD~1\
ThreadCreationTime : 6-3-2004 2:21:21 AM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 7.00.0.24
ProductVersion : 7.00.0.24
Copyright : Copyright (C) 2002
CompanyName : Symantec Corporation
FileDescription : NOPDB
InternalName : NOPDB
OriginalFilename : NOPDB.dll
ProductName : Norton Speed Disk
Created on : 5/21/2003 3:26:33 AM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 8/14/2002 11:00:00 AM

#:39 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 6-3-2004 2:21:21 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 9/3/2002 5:05:32 PM
Last accessed : 6/3/2004 3:20:57 AM
Last modified : 9/3/2002 5:05:32 PM

#:40 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 2:28:32 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:48 PM
Last accessed : 6/3/2004 3:28:36 AM
Last modified : 9/3/2002 4:28:48 PM

#:41 [systray.exe]
FilePath : c:\syz_dat\
ThreadCreationTime : 6-3-2004 3:08:21 AM
BasePriority : Normal

FileVersion : 1.00
ProductVersion : 1.00
CompanyName : PC-Magic Software
InternalName : systray
OriginalFilename : systray.exe
ProductName : systray

#:42 [cidaemon.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 6-3-2004 3:36:55 AM
BasePriority : Idle
FileSize : 8 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Indexing Service filter daemon
InternalName : cidaemon.exe
OriginalFilename : cidaemon.exe
ProductName : Microsoft
Created on : 9/3/2002 4:28:48 PM
Last accessed : 6/3/2004 3:28:36 AM
Last modified : 9/3/2002 4:28:48 PM

#:43 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-3-2004 3:37:42 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 2/25/2004 2:42:56 AM
Last accessed : 6/3/2004 3:36:58 AM
Last modified : 7/13/2003 4:00:20 AM

#:44 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 6-3-2004 3:37:58 AM
BasePriority : Normal
FileSize : 1462 KB
FileVersion : 4.7.2009
ProductVersion : Version 4.7
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 4/15/2003 2:05:20 AM
Last accessed : 6/3/2004 2:52:51 AM
Last modified : 4/15/2003 2:05:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pageeasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bareasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchURLeasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\SearchURL
Value :
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Pageeasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bareasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistanteasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://easy-search.biz"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearcheasy-search.biz

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://easy-search.biz"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "http://easy-search.biz"

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 7
Objects found so far: 7

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

I-LookUp Object recognized!
Type : File
Data : install.cab
Category : Malware
Comment :
Object : C:\
FileSize : 70 KB
Created on : 5/17/2004 11:47:27 PM
Last accessed : 6/3/2004 3:04:01 AM
Last modified : 5/20/2004 1:12:50 AM

Visicom Media Object recognized!
Type : File
Data : gsim.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Johnny B\Local Settings\Temp\THI1FC0.tmp\
FileSize : 598 KB
FileVersion : 2.0.0.0
ProductVersion : 2.0
CompanyName : Visicom Media
FileDescription : Browser Helper
Created on : 2/23/2004 1:32:44 AM
Last accessed : 6/3/2004 4:30:50 AM
Last modified : 10/8/2003 6:14:42 PM

ClearSearch Object recognized!
Type : File
Data : clrschuninstall_78_86.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Johnny B\Local Settings\Temp\
FileSize : 28 KB
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
Copyright : Copyright (C) 2003
FileDescription : Clear Search Uninstaller
InternalName : Clear Search Uninstaller
OriginalFilename : ClrSchUninstall.EXE
ProductName : Clear Search Uninstaller
Created on : 5/18/2004 3:11:48 AM
Last accessed : 6/3/2004 4:30:52 AM
Last modified : 4/22/2004 4:22:44 PM

DyFuCA Object recognized!
Type : File
Data : optimize.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Johnny B\Local Settings\Temp\
FileSize : 37 KB
Created on : 5/17/2004 11:48:01 PM
Last accessed : 6/3/2004 4:30:53 AM
Last modified : 5/17/2004 11:48:01 PM

BargainBuddy Object recognized!
Type : File
Data : shortcuts.txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Johnny B\Local Settings\Temp\
FileSize : 6 KB
Created on : 5/17/2004 11:50:11 PM
Last accessed : 6/3/2004 4:30:53 AM
Last modified : 5/17/2004 11:50:11 PM

ClearSearch Object recognized!
Type : File
Data : a0014547.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
FileSize : 171 KB
FileVersion : 1, 53, 0, 4
ProductVersion : 1, 53, 0, 4
Copyright : Copyright
CompanyName : Clear Search
FileDescription : CSie
InternalName : CSie
OriginalFilename : CSie.dll
ProductName : CSie
Created on : 5/17/2004 11:48:12 PM
Last accessed : 6/3/2004 4:38:04 AM
Last modified : 5/17/2004 11:48:12 PM

ClearSearch Object recognized!
Type : File
Data : a0014548.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
FileSize : 52 KB
FileVersion : 1, 0, 0, 4
ProductVersion : 1, 0, 0, 4
Copyright : Copyright
CompanyName : Clear Search
FileDescription : CSss
InternalName : CSss
OriginalFilename : CSss.dll
ProductName : CSss
Created on : 5/17/2004 11:48:19 PM
Last accessed : 6/3/2004 4:38:04 AM
Last modified : 5/17/2004 11:48:19 PM

Lycos Sidesearch Object recognized!
Type : File
Data : a0014551.dll
Category : Misc
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
FileSize : 188 KB
FileVersion : 1.4.0.0
ProductVersion : 1.4.0.0
Copyright : Copyright
CompanyName : Lycos, Inc.
FileDescription : Lycos Sidesearch Client
InternalName : Lycos Sidesearch Client
OriginalFilename : sidesearch.dll
ProductName : Lycos Sidesearch Client
Created on : 4/23/2004 2:10:34 PM
Last accessed : 6/3/2004 4:38:05 AM
Last modified : 4/23/2004 2:10:34 PM

ClearSearch Object recognized!
Type : File
Data : a0014553.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
FileSize : 28 KB
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
Copyright : Copyright (C) 2003
FileDescription : Clear Search Uninstaller
InternalName : Clear Search Uninstaller
OriginalFilename : ClrSchUninstall.EXE
ProductName : Clear Search Uninstaller
Created on : 4/22/2004 4:22:44 PM
Last accessed : 6/3/2004 4:38:05 AM
Last modified : 4/22/2004 4:22:44 PM

istbar Object recognized!
Type : File
Data : a0014753.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 9 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright
FileDescription : istsvc
InternalName : istsvc
OriginalFilename : istsvc.exe
ProductName : istsvc
Created on : 5/17/2004 11:47:58 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 5/17/2004 11:47:58 PM

DyFuCA Object recognized!
Type : File
Data : a0014754.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 37 KB
Created on : 5/17/2004 11:48:02 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 5/17/2004 11:48:01 PM

WhenU Object recognized!
Type : File
Data : a0014755.exe
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 67 KB
FileVersion : 0, 1, 5, 1
ProductVersion : 0, 1, 5, 1
Copyright : Copyright 2003
CompanyName : WhenU.com
FileDescription : DnldStub
InternalName : DnldStub
OriginalFilename : dnldstub.exe
ProductName : DnldStub Module
Created on : 5/17/2004 11:48:16 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 12/16/2003 12:22:36 AM

istbar Object recognized!
Type : File
Data : a0014756.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 67 KB
FileVersion : 1, 1, 0, 2
ProductVersion : 1, 1, 0, 2
Copyright : Copyright 2004
FileDescription : IST T00lbar
InternalName : IST T00lbar
OriginalFilename : 1stbar.dll
ProductName : 1ST Toolbar
Created on : 5/17/2004 11:48:05 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 5/17/2004 11:48:05 PM

Powerscan Object recognized!
Type : File
Data : a0014761.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 67 KB
FileVersion : 1, 1, 0, 2
ProductVersion : 1, 1, 0, 2
Copyright : Copyright (C) 2004
FileDescription : PowerScan v1.1
InternalName : PowerScan v1.1
OriginalFilename : Power-Scan.exe
ProductName : PowerScan v1.1
Created on : 5/17/2004 11:48:10 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 5/17/2004 11:48:09 PM

DyFuCA Object recognized!
Type : File
Data : a0014762.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 32 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2002
FileDescription : DyFuCA_BH Module
InternalName : DyFuCA_BH
OriginalFilename : DyFuCA_BH.DLL
ProductName : DyFuCA_BH Module
Created on : 5/17/2004 11:50:19 PM
Last accessed : 6/3/2004 4:38:09 AM
Last modified : 5/17/2004 11:50:19 PM

I-LookUp Object recognized!
Type : File
Data : a0014860.dll
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP56\
FileSize : 148 KB
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
Copyright : Copyright 2002
FileDescription : WinDec32 Module
InternalName : WinDec32
OriginalFilename : WinDec32.DLL
ProductName : WinDec32 Module
Created on : 5/13/2004 5:30:36 PM
Last accessed : 6/3/2004 4:38:10 AM
Last modified : 5/13/2004 5:30:36 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 23

Deep scanning and examining files (F:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for F:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 23

Possible Browser Hijack attempt Object recognized!
Type : File
Data : adware, spyware, popups - they invade your privacy and harm your pc. protect yourself!.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.noadware.net/?hop=bonobo
Object : C:\Documents and Settings\Johnny B\Favorites\

Created on : 5/18/2004 3:19:49 AM
Last accessed : 6/3/2004 4:49:28 AM
Last modified : 5/18/2004 3:19:49 AM

Possible Browser Hijack attempt Object recognized!
Type : File
Data : bonzi voice email.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.bonzi.com/
Object : C:\Documents and Settings\Johnny B\Favorites\Downloads Computer Parts, Updates Computer Software\

Created on : 5/18/2003 3:25:42 AM
Last accessed : 6/3/2004 4:49:30 AM
Last modified : 10/17/2003 1:11:49 AM

Possible Browser Hijack attempt Object recognized!
Type : File
Data : cdnow.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.cdnow.com
Object : C:\Documents and Settings\Johnny B\Favorites\Internet Shopping Cars CDs Wine etc\

Created on : 5/18/2003 3:25:42 AM
Last accessed : 6/3/2004 4:49:31 AM
Last modified : 4/25/1998 7:50:10 AM

Possible Browser Hijack attempt Object recognized!
Type : File
Data : looksmart.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.looksmart.com/
Object : C:\Documents and Settings\Johnny B\Favorites\Search Tools\

Created on : 5/18/2003 3:25:43 AM
Last accessed : 6/3/2004 4:49:34 AM
Last modified : 4/25/1998 7:50:10 AM

Possible Browser Hijack attempt Object recognized!
Type : File
Data : readers digest internet directory.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://wangara.looksmart.com:8080/r?l3,f&pin=22de813317b509b1eb7&show=framesmall
Object : C:\Documents and Settings\Johnny B\Favorites\Search Tools\

Created on : 5/18/2003 3:25:43 AM
Last accessed : 6/3/2004 4:49:34 AM
Last modified : 4/13/1997 7:30:24 PM

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 28

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Visicom Media Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\Dynamic Toolbar

Visicom Media Object recognized!
Type : Folder
Category : Malware
Comment :
Object : c:\program files\Dynamic Toolbar

Visicom Media Object recognized!
Type : File
Data : gsim
Category : Malware
Comment :
Object : c:\program files\dynamic toolbar\

Created on : 2/23/2004 1:33:03 AM
Last accessed : 6/3/2004 4:34:38 AM
Last modified : 2/23/2004 1:33:03 AM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 31

11:52:38 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :01:13:54:578
Objects scanned :1048325
Objects identified :31
Objects ignored :0
New objects :31

Logfile of HijackThis v1.97.7
Scan saved at 11:12:35 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
c:\syz_dat\systray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johnny B\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.isearch.com/index.php?ref=none
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://63.219.178.91/1/deaGB89.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab

Duke396
@gastonia1.nc.us

Duke396

Anon

i don't know how to interpret the hackthis stuff exactly, but one thing you may want to do is find a friend who has IE6 and get them to send you their IEXPLORE.EXE file and replace yours with it. this may or may not help; the file might replace itself and you'll be in the same situation as before, or it might not be that file's problem afterall. I really don't know anything about this particular problem, but you should check out these links, maybe they will provide more help

»cant get rid of CWS.Searchx
»[Help] Search portal spyware got me now.
Expand your moderator at work

Jasonx345
@dal1-4.xx.173.xx.dal

Jasonx345

Anon

Re: Sexdial has infected my computer

Wow, ok.

Willboe, I see these that are wrong.

wininet32.exe »fr.trendmicro-europe.com ··· &VSect=T

runwin32.exe »securityresponse.symante ··· ght.html

Please follow their steps & post a new HJT log.

MapleLeaf
Premium Member
join:2001-09-04
Burnaby, BC

1 edit

1 recommendation

MapleLeaf to dafficus

Premium Member

to dafficus
The most unpleasant thing is PWSteal.AlLight

Check Symantec recommendations on trojan removal, as for the log entries, this lines have to go:

C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »www.isearch.com/index.php?ref=none
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111237} - »63.219.178.91/1/deaGB89.exe
Expand your moderator at work

Sparrow
Crystal Sky
Premium Member
join:2002-12-03
Sachakhand

4 edits

1 recommendation

Sparrow to Anon

Premium Member

to Anon

Re: Sexdial has infected my computer


THIS POST IS FOR dafficus See Profile

This is why you are unable to delete/remove the files:

From your Deep registry scan result:

Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
Object : C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP55\
etc..., etc..., etc...

You need to turn off System Restore before you run Ad-aware again. What is happening is the malware is caught up in System Restore and is not being removed from your registry.

To turn off System Restore:
Right Click on the My Computer icon > Open the System Restore tab > Turn off System Restore.

You will get a pop-up warning that you will not be able to track or undo changes to your computer. It will ask, "Do you want to turn off System Restore?" Click Yes.

If you have not yet done so, please read through, and follow the directions given in order in the FAQ, »Security »I think my computer is infected or hijacked. What should I do? .

After you follow those steps, run the logs again and post back.

EDIT: dafficus See Profile, please follow CalamityJane See Profile's instructions below. Good luck!
Expand your moderator at work

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

1 recommendation

CalamityJane to dafficus

Premium Member

to dafficus

Re: Sexdial has infected my computer

Hi dafficus,

First - please do NOT do any fixes suggested yet with HijackThis until we get your program into a proper folder so it can make proper backups. Right now it's not, and I'll post instructions for that in just a few minutes.

The problem is not the files in systems restore. You have most likely a coolwebsearch infection that is especially difficult to find the hidden files reinfecting you but with some patience we should be able to get to them.

I would not advise resetting your restore point just yet. Removing the spyware and hijackers you have on your PC *might* create some problems and we really need to have a functioning restore point to go back to in case something does cause a problem. It is best to get rid of the backups in System Restore after we get the PC clean and can make sure everything is working properly. Those files aren't the ones reinfecting you at the moment.

I see that you have the updated Adaware and it has taken care of a multitude of problems, but the main infection possibly affecting you is a difficult one to remove. None of the commercial products are able to do a good job of this (yet).

Don't do anything yet, please. Let me write up some instrucitons before you fix anything

Edit to fix typos
CalamityJane

1 recommendation

CalamityJane

Premium Member

1. Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder and don't run it straight out of the zip file. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like.

2. Next, Unzip HijackThis again and extract & save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

3. Make a copy of these instructions and print them out to have on hand as this will all need to be done in safe mode where you cannot go online.

4. Next, please reboot your PC into SAFE MODE, making sure that only HijackThis is open.

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
quote:
Windows XP
To use the System Configuration Utility method

1. Close all open programs.
2. Click Start, and then click Run. The Run dialog box appears.
3. As shown in this illustration, type msconfig and then click OK.
4. The System Configuration Utility appears, go to the tab at the top named Boot.ini. Check the "/SAFEBOOT" option, and then click OK.
5. You then see the prompt to restart the computer. Click Restart.
6. The computer restarts in Safe mode. (This can take several minutes.)
7. Perform the troubleshooting steps for which you are using Safe Mode.
8. When you are finished with troubleshooting in Safe mode repeat steps 1-5, but in step 4, uncheck "/SAFEBOOT"
9. Close all programs and restart the computer as you normally would.
5. In SAFE MODE, scan with HijackThis running it from the special folder you made for it and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = »easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »easy-search.biz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = »easy-search.biz

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = »easy-search.biz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »www.isearch.com/index.php?ref=none

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
....................
Fix these two Proxy settings IF you are not using a proxy and did NOT set them yourself. If you did set them and are using a proxy then leave them alone. It is quite possible the trojan running on your system set these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
............................
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe

O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe

O16 - DPF: {11111111-1111-1111-1111-111111111237} - »63.219.178.91/1/deaGB89.exe

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - »download.weatherbug.com/minibug/trickl..
.....................
6. Stay in SAFE MODE and delete these files named in bold:

C:\WINDOWS\runwin32.exe

C:\WINDOWS\wininet32.exe

7. Stay in SAFE MODE and do a full custom deep scan with Adaware - let it remove any bad items found.
.............................
8. Reboot your PC into normal mode.
Follow these instructions to check your Hosts file (one of the hijackers you had is known to tamper with it and this may be what is blocking certain webpages for you to display)
http://www.dslreports.com/faq/10131

9. Get the latest updates for your AV program and do a system scan (preferably in safe mode as you did above) and let it fix or delete anything it finds.

10. Check your system for entries left by the two trojans that some folks listed above. They were the two files running that you were hopefully able to delete in the steps above and they may have left behind some entries in your registry that need checking.

Refer to the manual instructions here to make sure you got everything.

C:\WINDOWS\runwin32.exe
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html

C:\WINDOWS\wininet32.exe
http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=59220&VName=TROJ_AGENT.AD&VSect=T
....................
11. Get an online AV scan at one (preferably two ) of the following just to make sure your AV hasn't missed something or been disabled by any malware.

Panda's Active Scan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

(If any infections are found - let them fix or delete them, and be sure to reboot your PC between cleanings)

12. Once you are sure everything has been cleaned and all is working properly, then follow Crystal Sky's directions and go ahead reset your restore point with a new one.

There is probably still more to do on the hijacker problem if it is still reinfecting you (that would be the hidden dll problem and that's a different process), but at this point, please scan once more with HijackThis and post a new log for us - along with a description of any symptoms you may still be having.
dafficus
join:2004-06-02
Overland Park, KS

dafficus

Member

Thanks to all of you so very much, especially you Calamity Jane. You all are a God Send!

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Hi dafficus, did the symptoms disappear and not return? Could you post a final HijackThis scan just to be sure everything looks ok at this point?

Also, don't leave without taking a look towards prevention of future infections of this nature (like that annoying sexdialer)
»Security »How do I prevent browser hijacks and spyware?

There are recommendations in the link above to secure your PC and your IE browser plus some excellent free programs that can prevent this malware from ending up on your PC in the first place.

Here is another more indepth help page for securing your PC against everything else
»Security »How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach:

(But I would like to see a final HijackThis log, dafficus)
dafficus
join:2004-06-02
Overland Park, KS

1 recommendation

dafficus

Member

Sorry I was so long in responding Calamity. I travel a great deal. All appears well with my computer but your review of the Hijack is greatly appreciated. Thanks again for all of your time, effort and help.

Dafficus

Here is the Hijack information dated today:

Logfile of HijackThis v1.97.7
Scan saved at 9:58:34 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/sbcy/yinst.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AB294EC6-7ADA-11D4-9D5F-00B0D04BBD07} (msichat50 Client Control) - http://www.globalchat.com/custom/nativeclient/msichat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CF1A5BDE-732F-49B7-AD1F-51010E37F9EB} (MSN Money Portfolio Manager) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane

Premium Member

Hi dafficus, you're quite welcome. We're glad we could help

You can fix the following item (it's now just an orphan item left over)

R3 - Default URLSearchHook is missing

Your log looks clean now. Glad to hear that resolved your problems. Looks like you got some extra protection in place too.

Stay safe and happy surfing
dafficus
join:2004-06-02
Overland Park, KS

dafficus

Member

Would that be "OK to delete" when you say fix it?
Secondly per your instructions I added several protectective programs to my system and have passed the word on to several friends. Again, Many Many thanks for who you are and what you do for those of us "less talented" mortals.

Dafficus

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 recommendation

CalamityJane

Premium Member

Yes, you can scan with HijackThis and checkmark that item:

R3 - Default URLSearchHook is missing

Then press *fix checked*

Glad to hear all is well and that you are spreading the word to patch and protect! (You did get ALL the windows critical security updates, right?) As part of our list in hijack/spyware/malware prevention FAQ, #1 is patching your Windows Operating System and IE. (#2 is securing your IE browser - also covered in there). Why? Because much of this malware is taking advantage of unpatched exploits to stealth install on you. You can have all the protection tools and they can still get in if you have holes in your OS and in your IE. [/EndOfLecture]:D