IE opens a second window automatically with a **** site URL in it

Where did all your startups go ?

Either you have had Hiajckthis ignore them or you have been disabling things with a startup tool.
That log does us no good we need to see everything .

Before you post your next log try running Ad-Aware while in safe mode please

Also Im curious see attachment , do you have two mentions of a quick launch in that contect menue of perhaps a double devider, there should only be one ?

 

I can't run AdAware in SafeMode because my computer will absolutely not run in SafeMode. It starts to boot up and then completely freezes. I've tried it probably 25 times and a couple of times I actually got the "help" file up but I had no mice or keyboard capability. I don't understand where I'm to be looking for this split screen that you put the illustration of. As far as the hijackthis log,
I've enabled everything through msconfig and here's the new log. Thanks again.

Logfile of HijackThis v1.98.2
Scan saved at 7:01:13 PM, on 04/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\BENQ\QMUSIC2\QMAGENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {65A79535-744D-441E-A51E-1B88101CFE77} - C:\WINDOWS\SYSTEM\ACKM.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [SRD3X40M] C:\WINDOWS\SYSTEM\SRD3X40M.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O18 - Filter: text/html - {761AF368-231D-459E-9C22-986BB6AF759A} - C:\WINDOWS\SYSTEM\ACKM.DLL
O18 - Filter: text/plain - {761AF368-231D-459E-9C22-986BB6AF759A} - C:\WINDOWS\SYSTEM\ACKM.DLL

 

Hi

That screen shot context menue is seen if you righclick on your windows taskbar > toolbars

Im collecting file's, If Possible place these file's in a zip for me please
can you ?
C:\WINDOWS\SYSTEM\ACKM.DLL
C:\WINDOWS\SYSTEM\SRD3X40M.exe

Download and run this tool, fallow the prompts, reboot post its log when back,
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.removal.tool.html


After restarting before connecting run Hiajckthis place a check next to these items, hit fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {65A79535-744D-441E-A51E-1B88101CFE77} - C:\WINDOWS\SYSTEM\ACKM.DLL
O4 - HKLM\..\Run: [SRD3X40M] C:\WINDOWS\SYSTEM\SRD3X40M.exe
O18 - Filter: text/html - {761AF368-231D-459E-9C22-986BB6AF759A} - C:\WINDOWS\SYSTEM\ACKM.DLL
O18 - Filter: text/plain - {761AF368-231D-459E-9C22-986BB6AF759A} - C:\WINDOWS\SYSTEM\ACKM.DLL
=========================

Post a new Hijackthis log and the fixagentb log to

Also run one of those VX2 Finder over to the right click restore user agent.
dont be alarmed it will delete then restore a normal one.

 

1. There is only a single quick launch on that screen
2. I could locate either of those files in Windows\System to zip up for you
3. Downloaded and ran Moval.tool as requested and here's the log
Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

hidden viral process: fffee391 (terminated)
process: MPREXE.EXE, thread: FFFD3F71 (terminated)
process: EXPLORER.EXE, thread: FFFD1C25 (terminated)
process: SYSTRAY.EXE, thread: FFFB6171 (terminated)
process: TYPE32.EXE, thread: FFFC5991 (terminated)
process: QMAGENT.EXE, thread: FFFDD299 (terminated)
process: MSNMSGR.EXE, thread: FFFA0099 (terminated)
process: WMIEXE.EXE, thread: FFFC638D (terminated)
process: STMGR.EXE, thread: FFFC0DF1 (terminated)
process: FXAGENTB.EXE, thread: FFFD4ED9 (terminated)

registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce: *n (restored)

c:\WINDOWS\SYSTEM\RESA.DLL: (will be deleted on next reboot)

The Backdoor.Agent.B removal was successful.
The system will delete 1 Backdoor.Agent.B files from your PC on next reboot.

Here is the report:

1 file(s) could not be deleted.
They will be deleted on next reboot.

The total number of the scanned files: 29663
The number of deleted files: 0
The number of viral processes terminated: 1
The number of viral threads terminated: 9
The number of registry entries fixed: 1

The tool initiated a system reboot.

4. Ran HijackThis. Only one of those files showed up on the new run and that was 04-HKLM\..\run: (SRD3X40M) etc etc. I deleted it and here's the new log.
Logfile of HijackThis v1.98.2
Scan saved at 9:19:10 AM, on 05/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\BENQ\QMUSIC2\QMAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab

5. I'm confused about your last instruction about "run one of those VX2 Finder over to the right click restore user agent " Could you explain that to my weary brain ?
Thanks so much !

 

Sorry - error in my last message. I COULDN'T locate those two files you wanted me to zip up for you.

 

Sure

Download this tool to your desktop .
http://downloads.subratam.org/VX2Finder9x(126).exe
To use it: VX2Finder9x
Run it by double clicking VX2Finder9x26.exe
click find VX2abetterinternet

If there are any files found near the top , click make log copy paste that back here please
exit notepad and VX2Finder9x

If there are no files found
click these buttons over to the right if they are available
Hit "user agent" dont be alarmed it will restore the proper one.
"restore desktop ", dont be alarmed the desktop will disapear then reapear
next hit "import reg" then exit

 

Also
launch Notepad, and copy and paste the bolded below into a new text file.
Hit enter once
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry "= "C:\\WINDOWS\\scanregw.exe /autorun "
"TaskMonitor "= "C:\\WINDOWS\\taskmon.exe "

Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.

Post a new Hijackthis log after restarting the PC please.

Where has your anti virus went to ?

 

You had me download VX2Finder9x before and I got the exact same log now as before. Here it is:
Files Found---


User Agent String---
{21AE619E-3716-4A9C-B4E6-A0CB9A5A587B}

You asked about my virus checker - it has been destroyed apparently from whatever this is that I have. It will not run anymore - it keeps saying it is missing various .dll files and McAfee can't (or won't) help me. I've tried uninstalling and reinstalling the program but nothing has worked.


I've made the fixme.reg file and ran it. Then rebooted and ran HijackThis and here's the log.

Logfile of HijackThis v1.98.2
Scan saved at 12:34:03 AM, on 11/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\BENQ\QMUSIC2\QMAGENT.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab

 

Cone - since McAfee isn't running (and the HJT log verifies that) you need to get other AV protection on the PC as soon as you can. AVG has a free version that is good. Available Here.

If McAfee will uninstall you might as well get rid of it for now or for good.

I would also run another HJT scan and remove the following
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
While it isn't harmful, it also isn't necessary to have running every time you boot up. Just adds to your system load for no benefit to you. The application will not be harmed but just won't launch that background piece when you boot the PC.

Are you still having problems other than no AV?

 

Try merging that reg file again but edit out that space in
Curr entVersion, sorry our forum breaks them up like that and i hadnt spoted it
.

Did you run VX2Finder9x and press the "user agent" button ?

 

I merged the regfile again after making the correction you said. I have deleted McAfee and ran Hijack This and deleted the file you suggested. I also ran the VX2 Finder and did the following 3 steps - Hit "user agent" "restore desktop ", and "import reg" then exited. I am still have problems with the computer. When I run AdAware I get more than 200 reg keys, files, running processes etc on my machine but it will not delete them. It quarantines and then freezes every single time when I go to delete. I cannot run it in Safe Mode because my computer will absolutely not run in safe mode. If it doesn't automatically freeze when it comes to the help menu then it loads that and the mouse freezes. I really really want to get rid of this spyware on my machine, I think it's what is causing a lot of the problems I have with weird home pages showing up, programs freezing etc. Any suggestions on getting that Adware to work or my computer to run in safe mode ? Thanks so much.

 

I suggested in post #5 and again in post #7, to scan your pc with RAV online virus scanner. I repeat that recommendation again. Additionally, did you ever delete the contents of all temp folders and run disk cleanup as suggested? I've seen Ad-aware hang often enough on files in the temp folders. We'll address the safe mode issue once we get things cleaned up.

Is Ad-aware making logs of what it finds? If so, post the last one you ran. It may take several posts, as there is a character limit per post.

 

Sorry I must have missed the direction to run RAV. I did that and it came up with 13 backdoor and trojan infections which it told me it couldn't delete. It said I needed to find them on the computer and delete them manually which of course I can't because they always say they are in use and can't be deleted. As to your question about Temp folders etc, I clean out my temp, and temp internet folder every single day. My computer is set to not accept cookies stored on my machine so I never have anything in there. I also run disc cleanup every day. I ran AdAware again and got the following log. (also, as a note, whenever I run adAware I immediately get a screen that pops us that says Explorer has caused an error in unknown - and then then AdAware continues. Here's the log.

d-Aware SE Build 1.05
Logfile Created on:November 12, 2004 4:50:22 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R18 08.11.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):15 total references
MRU List(TAC index:0):13 total references
Tracking Cookie(TAC index:3):25 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-11-2004 4:50:22 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291787323
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294950799
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294958927
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294956299
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294837883
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:6 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294834367
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:7 [TYPE32.EXE]
FilePath : C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\
ProcessID : 4294715195
Threads : 3
Priority : Normal


#:8 [QMAGENT.EXE]
FilePath : C:\PROGRAM FILES\BENQ\QMUSIC2\
ProcessID : 4294711563
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : QMAgent Application
FileDescription : QMAgent MFC Application
InternalName : QMAgent
LegalCopyright : Copyright (C) 2002
OriginalFilename : QMAgent.EXE

#:9 [KODAKCCS.EXE]
FilePath : C:\WINDOWS\SYSTEM32\DRIVERS\
ProcessID : 4294730915
Threads : 2
Priority : Normal
FileVersion : 1.1.5000.0
ProductVersion : 4.3.3.0
ProductName : Kodak DC File System Driver (Win32)
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : KodakCCS.exe
LegalCopyright : Copyright (C) Eastman Kodak Co. 2000-2003
OriginalFilename : DcFsSvc.exe

#:10 [USBMONIT.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294730651
Threads : 1
Priority : Normal
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 5, 0, 0
ProductName : Gene USB Monitor
CompanyName : General
FileDescription : Gene USB Monitor
InternalName : USBMonitor
LegalCopyright : Copyright (C) 2000-2004
OriginalFilename : USBMonit.exe

#:11 [BACKWEB-7288971.EXE]
FilePath : C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\
ProcessID : 4294642971
Threads : 6
Priority : Normal


#:12 [STMGR.EXE]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294641467
Threads : 5
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft (r) PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:13 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294858787
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:14 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294615995
Threads : 2
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft® DirectX for Windows®
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:15 [KAGP.DAT]
FilePath : C:\WINDOWS\TEMP\
ProcessID : 4294506235
Threads : 1
Priority : Normal


#:16 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294881015
Threads : 22
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

CoolWebSearch Object Recognized!
Type : Process
Data : 1094164452.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1094164452.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1093399787.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1093399787.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1093250493.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1093250493.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1093050074.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1093050074.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1092628119.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1092628119.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1092628050.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1092628050.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1092538787.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1092538787.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1092150232.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1092150232.DLL)


CoolWebSearch Object Recognized!
Type : Process
Data : 1092117603.DLL
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\


Warning! CoolWebSearch Object found in memory(C:\WINDOWS\1092117603.DLL)


#:17 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294461807
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22


objects:31

 

And here's the second half of the log...
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 22


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:13
Value : Cookie:michener@z1.adserver.com/
Expires : 12/11/2005 3:23:00 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@a.as-us.falkag[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:anyuser@a.as-us.falkag.net/
Expires : 08/12/2004 9:30:26 PM
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@stat.onestat[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:anyuser@stat.onestat.com/
Expires : 07/11/2014 5:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@advertising[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:michener@advertising.com/
Expires : 11/11/2009 2:50:02 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@realmedia[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:anyuser@realmedia.com/
Expires : 31/12/2010 4:59:58 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@servedby.advertising[2].txt
Category : Data Miner
Comment : Hits:34
Value : Cookie:michener@servedby.advertising.com/
Expires : 12/12/2004 4:30:34 PM
LastSync : Hits:34
UseCount : 0
Hits : 34

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@paycounter[2].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:anyuser@paycounter.com/
Expires : 30/12/2030 6:00:00 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@bravenet[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:anyuser@bravenet.com/
Expires : 08/11/2014 7:47:48 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@as-us.falkag[1].txt
Category : Data Miner
Comment : Hits:13
Value : Cookie:anyuser@as-us.falkag.net/
Expires : 08/11/2005 9:30:28 PM
LastSync : Hits:13
UseCount : 0
Hits : 13

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@gator[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:anyuser@gator.com/
Expires : 09/01/2005 7:18:04 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@cs.sexcounter[2].txt
Category : Data Miner
Comment : Hits:22
Value : Cookie:anyuser@cs.sexcounter.com/
Expires : 12/05/2024 11:07:28 AM
LastSync : Hits:22
UseCount : 0
Hits : 22

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@maxserving[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:michener@maxserving.com/
Expires : 02/11/2014 9:36:56 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@a.as-us.falkag[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:michener@a.as-us.falkag.net/
Expires : 04/12/2004 9:39:38 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@statcounter[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:michener@statcounter.com/
Expires : 03/11/2009 9:22:36 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@fastclick[1].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:michener@fastclick.net/
Expires : 02/11/2006 2:48:34 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:103
Value : Cookie:anyuser@z1.adserver.com/
Expires : 10/11/2005 10:07:14 PM
LastSync : Hits:103
UseCount : 0
Hits : 103

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@as-us.falkag[2].txt
Category : Data Miner
Comment : Hits:6
Value : Cookie:michener@as-us.falkag.net/
Expires : 04/11/2005 9:39:38 PM
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@maxserving[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:anyuser@maxserving.com/
Expires : 06/11/2014 4:45:56 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : anyuser@questionmarket[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:anyuser@questionmarket.com/
Expires : 30/12/2005 12:58:16 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@atdmt[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:michener@atdmt.com/
Expires : 10/11/2009 5:00:00 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 20
Objects found so far: 42



Deep scanning and examining files (c
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Object "W0000008.CPY" found in this archive.

CoolWebSearch Object Recognized!
Type : File
Data : FS2.CAB
Category : Malware
Comment : Object "W0000008.CPY" found in this archive.
Object : c:\_RESTORE\ARCHIVE\



Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@fastclick[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\michener@fastclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@atdmt[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\michener@atdmt[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@advertising[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\michener@advertising[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@servedby.advertising[2].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\michener@servedby.advertising[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : michener@z1.adserver[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\michener@z1.adserver[1].txt

CoolWebSearch Object Recognized!
Type : File
Data : backup-20041030-002507-151.dll
Category : Malware
Comment :
Object : c:\HJT\backups\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : Search Bar
FileDescription : Search Bar plug-in for Internet Explorer
InternalName : ToolBar
LegalCopyright : Copyright © 2004
OriginalFilename : ToolBand.dll


Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 49


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : File
Data : rundlg32.inf
Category : Malware
Comment :
Object : C:\WINDOWS\downloaded program files\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 53

4:53:36 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:03:14.160
Objects scanned:65718
Objects identified:31
Objects ignored:0
New critical objects:31

 

Download the latest version of CWShredder from here. Install and open, close ALL other windows and click fix.

Turn off system restore.

Open C:\Windows\Cookies, select all and delete.

Do a search for temp. Open all folders found, select all and delete.

Open Internet Options in the control panel. On General tab, clear files, clicking the box for all offline content, then click delete cookies.

Open HijackThis. Click the config button, then backups. Now clear all and exit.

Install Move-on-Boot. It will give you a new right click menu to 'delete on next boot'. Right click each of the files reported as infected by RAV and select the delete on next boot option. If unable to delete any files in the temp folders, use MOB to mark them too.

Reboot and empty the recycle bin. Do another RAV scan. If any files infected, click report and copy/paste it here. Run another Ad-aware scan and let us know the results. Attach the new log, as well as a new HijackThis log.

 

- I downloaded CWShredder and it said there was no CoolWebSearch on the machine.
- My System Restore is always off now - I can't get it to come back on. I uncheck the box, apply, and reboot and when I go back, the box is checked again.
- Deleted all cookies
- cleared files, including off-line content in Internet Options
- cleared all records in Config in HijackThis
- installed Move-on-Boot and found all but two of the files lised in the Rav check. They are supposed to be in C:Windows\Downloaded Program Files but I can't right click to select them there. When I click to open that folder it automatically shoots back to the first screen with a targer of C:\Windows\Download~ and won't let me look inside. I can find the files by using search or anything else so they still show up as a two trojans (as the log below shows)
Scanned files: 27276
Scanned directories: 1824
Scanned archives: 813
Size of the scanned files: 2036280956
Packed files: 547
Known viruses found: 2
Virus bodies: 2
Suspicious files: 0

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 293183
Mail files: 2197




Found viruses
File: c:\WINDOWS\Downloaded Program Files\QDow_AS2.dll
Virus: TrojanDownloader:Win32/Qdown.L Status: Infected

File: c:\WINDOWS\Downloaded Program Files\ziphelp.exe
Virus: Trojan:Win32/StartPage.LZ Status: Infected

 

- rebooted and emptied the recycle bin
- Did another RAV scan (results above)
- Ran another AdAware , 5 files showed up (log below)
I ran Adware before I rebooted and 3 showed up. When I rebooted 5 showed up. It's like they are created each time you turn on the machine.

Ad-Aware SE Build 1.05
Logfile Created on:November 13, 2004 10:35:34 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R18 08.11.2004
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


13-11-2004 10:35:34 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291787343
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294950907
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294958907
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294956415
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294840135
Threads : 21
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:6 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294785991
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:7 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294794687
Threads : 3
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:8 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294705335
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft(R) Windows(R) Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:9 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294821871
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5



Deep scanning and examining files (c
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

10:38:28 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:02:53.680
Objects scanned:64455
Objects identified:0
Objects ignored:0
New critical objects:0

 

- ran hijack this and here is the new log for that. Again, thanks so much - it does look like I am slowly getting this computer cleaned !

Logfile of HijackThis v1.98.2
Scan saved at 10:34:55 AM, on 13/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Open IE Options in the control panel. Click the settings button in Temporary Internet Files section, then view objects. Does it open? If so, delete everything there. There should be at least 4 items. Let us know.

If you still have that fixme.reg file you created before, double click it to merge to the registry again. We'll work on system restore after getting all the infections out.

Those items found by Ad-aware are normal. MRUs......Most Recently Used entries in the registry.....don't be concerned.

 

New Version of HijackThis Out

Cone, get HijackThis 1.99. it's out there now. Google hijackThis 1.99.