I am running Ad-Aware SE and it is getting stuck at
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vsenchancer.chl
I have attached my Ad-Aware Scan Log as well as my Hijackthis Log file.
Please help resolve this problem.
Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, February 20, 2007 7:06:27 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R154 19.02.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
20-02-2007 7:06:27 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\User\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\User\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\adobe\adobe acrobat\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe acrobat
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\office\11.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
MRU List Object Recognized!
Location: : S-1-5-21-1085031214-854245398-839522115-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 416
ThreadCreationTime : 20-02-2007 10:19:57 AM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 472
ThreadCreationTime : 20-02-2007 10:19:58 AM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 496
ThreadCreationTime : 20-02-2007 10:19:58 AM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 540
ThreadCreationTime : 20-02-2007 10:19:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 552
ThreadCreationTime : 20-02-2007 10:19:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 712
ThreadCreationTime : 20-02-2007 10:20:00 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 800
ThreadCreationTime : 20-02-2007 10:20:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 836
ThreadCreationTime : 20-02-2007 10:20:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 880
ThreadCreationTime : 20-02-2007 10:20:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 904
ThreadCreationTime : 20-02-2007 10:20:01 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1208
ThreadCreationTime : 20-02-2007 10:20:03 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:12 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1344
ThreadCreationTime : 20-02-2007 10:20:03 AM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE
#:13 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1396
ThreadCreationTime : 20-02-2007 10:20:04 AM
BasePriority : Normal
FileVersion : 7.5.0.420
ProductVersion : 7.5.0.420
ProductName : AVG 7.5 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE
#:14 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVG7\
ProcessID : 1428
ThreadCreationTime : 20-02-2007 10:20:04 AM
BasePriority : Normal
FileVersion : 7.5.0.432
ProductVersion : 7.5.0.432
ProductName : AVG Anti-Virus system
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2006 GRISOFT, s.r.o.
OriginalFilename : avgemc.exe
#:15 [ctsvccda.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1492
ThreadCreationTime : 20-02-2007 10:20:05 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE
#:16 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1556
ThreadCreationTime : 20-02-2007 10:20:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE
#:17 [smax4pnp.exe]
FilePath : C:\Program Files\Analog Devices\Core\
ProcessID : 1608
ThreadCreationTime : 20-02-2007 10:20:06 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 20
ProductVersion : 6, 0, 0, 20
ProductName : SMax4PNP Application
CompanyName : Analog Devices, Inc.
FileDescription : SMax4PNP
InternalName : SMax4PNP
LegalCopyright : Copyright © 2005 Analog Devices, Inc.
OriginalFilename : SMax4PNP.exe
#:18 [smax4.exe]
FilePath : C:\Program Files\Analog Devices\SoundMAX\
ProcessID : 1632
ThreadCreationTime : 20-02-2007 10:20:07 AM
BasePriority : Normal
FileVersion : 5, 2, 0, 12
ProductVersion : 5, 2, 0, 12
ProductName : Audio Control Panel
CompanyName : Analog Devices, Inc.
FileDescription : Audio Control Panel
InternalName : SMax4
LegalCopyright : Copyright © 2002-2005, Analog Devices
OriginalFilename : SMax4.EXE
#:19 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 1640
ThreadCreationTime : 20-02-2007 10:20:07 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe
#:20 [pctspk.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1668
ThreadCreationTime : 20-02-2007 10:20:07 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : pctvoice Application
CompanyName : Conexant Systems, Inc.
FileDescription : pctvoice MFC Application
InternalName : pctvoice
LegalCopyright : Copyright© Conexant Systems, Inc. 2003
OriginalFilename : pctvoice.EXE
#:21 [nvsvc32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1680
ThreadCreationTime : 20-02-2007 10:20:08 AM
BasePriority : Normal
FileVersion : 6.14.10.8185
ProductVersion : 6.14.10.8185
ProductName : NVIDIA Driver Helper Service, Version 81.85
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 81.85
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe
#:22 [saservice.exe]
FilePath : C:\Program Files\SiteAdvisor\4608\
ProcessID : 1764
ThreadCreationTime : 20-02-2007 10:20:09 AM
BasePriority : Normal
#:23 [dap.exe]
FilePath : C:\Program Files\DAP\
ProcessID : 1776
ThreadCreationTime : 20-02-2007 10:20:09 AM
BasePriority : Normal
FileVersion : 8, 1, 3, 8
ProductVersion : 8, 1, 3, 8
ProductName : Download Accelerator Plus (DAP)
CompanyName : Speedbit Ltd.
FileDescription : Download Accelerator Plus (DAP)
InternalName : DAP
LegalCopyright : Copyright © 1999 - 2006 Speedbit Ltd.
OriginalFilename : DAP.EXE
Comments : 214
#:24 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1804
ThreadCreationTime : 20-02-2007 10:20:09 AM
BasePriority : Normal
FileVersion : 0.1.0.3292
ProductVersion : 0.1.0.3292
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
#:25 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1824
ThreadCreationTime : 20-02-2007 10:20:10 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:26 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1896
ThreadCreationTime : 20-02-2007 10:20:10 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe
#:27 [googledesktop.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 192
ThreadCreationTime : 20-02-2007 10:20:11 AM
BasePriority : Normal
FileVersion : 4.2006.1008.2039
ProductVersion : 4.2006.1008.2039
ProductName : Google Desktop
CompanyName : Google
FileDescription : Google Desktop
InternalName : Google Desktop
LegalCopyright : Copyright © 2003-2006 Google. All Rights Reserved.
#:28 [calmain.exe]
FilePath : C:\Program Files\Canon\CAL\
ProcessID : 236
ThreadCreationTime : 20-02-2007 10:20:12 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 21
ProductVersion : 8, 0, 0, 21
CompanyName : Canon Inc.
FileDescription : Canon Camera Access Library 8
LegalCopyright : Copyright © Canon Inc.
OriginalFilename : CALMAIN.exe
#:29 [siteadv.exe]
FilePath : C:\Program Files\SiteAdvisor\4608\
ProcessID : 264
ThreadCreationTime : 20-02-2007 10:20:12 AM
BasePriority : Normal
FileVersion : 1.6.0.23
ProductVersion : 1.6.0.23
ProductName : SiteAdvisor
CompanyName : McAfee, Inc.
FileDescription : SiteAdvisor
InternalName : SiteAdv
LegalCopyright : Copyright McAfee, Inc. All rights reserved.
OriginalFilename : SiteAdv
#:30 [application launcher.exe]
FilePath : C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\
ProcessID : 288
ThreadCreationTime : 20-02-2007 10:20:13 AM
BasePriority : Normal
FileVersion : 1.1.1.3
ProductVersion : 1.1.1.3
ProductName : Application Launcher
CompanyName : Sony Ericsson Mobile Communications AB
FileDescription : Application Launcher
InternalName : Application Launcher
LegalCopyright : Copyright © 2005 Popwire AB. All rights reserved.
OriginalFilename : Application Launcher.exe
#:31 [googledesktopindex.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 304
ThreadCreationTime : 20-02-2007 10:20:13 AM
BasePriority : Normal
FileVersion : 4.2006.1008.2039
ProductVersion : 4.2006.1008.2039
ProductName : Google Desktop
CompanyName : Google
FileDescription : Google Desktop
InternalName : Google Desktop
LegalCopyright : Copyright © 2003-2006 Google. All Rights Reserved.
#:32 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 296
ThreadCreationTime : 20-02-2007 10:20:13 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE
#:33 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 364
ThreadCreationTime : 20-02-2007 10:20:13 AM
BasePriority : Normal
FileVersion : 4.7.3000
ProductVersion : Version 4.7.3000
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe
#:34 [googletoolbarnotifier.exe]
FilePath : C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\
ProcessID : 452
ThreadCreationTime : 20-02-2007 10:20:16 AM
BasePriority : Normal
FileVersion : 1, 2, 908, 8472
ProductVersion : 1, 2, 908, 8472
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright © 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe
#:35 [capabilitymanager.exe]
FilePath : C:\Program Files\Common Files\Teleca Shared\
ProcessID : 912
ThreadCreationTime : 20-02-2007 10:20:19 AM
BasePriority : Normal
FileVersion : 0.0.1.48
ProductVersion : 0.0.1.48
ProductName : CapabilityManager
CompanyName : Teleca Software Solutions AB
FileDescription : Capability Manager
InternalName : CapabilityManager.exe
LegalCopyright : Copyright © 2004 Teleca Software Solutions AB. All rights reserved.
OriginalFilename : CapabilityManager.exe
Comments : This is a generic version of this component
#:36 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 6.0\Distillr\
ProcessID : 940
ThreadCreationTime : 20-02-2007 10:20:21 AM
BasePriority : Normal
FileVersion : 6.0.0.2003051500
ProductVersion : 6.0.0.0
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2003 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe
#:37 [wzqkpick.exe]
FilePath : C:\Program Files\WinZip\
ProcessID : 1140
ThreadCreationTime : 20-02-2007 10:20:23 AM
BasePriority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English
#:38 [wweb32.exe]
FilePath : C:\Program Files\WordWeb\
ProcessID : 1064
ThreadCreationTime : 20-02-2007 10:20:25 AM
BasePriority : Normal
FileVersion : 3.0.1.0
ProductVersion : 3.0.1.0
ProductName : WordWeb
CompanyName : Antony Lewis
FileDescription : WordWeb thesaurus/dictionary
LegalCopyright : Antony Lewis 2004
Comments : See wordweb.info
#:39 [googledesktopcrawl.exe]
FilePath : C:\Program Files\Google\Google Desktop Search\
ProcessID : 1464
ThreadCreationTime : 20-02-2007 10:20:27 AM
BasePriority : Normal
FileVersion : 4.2006.1008.2039
ProductVersion : 4.2006.1008.2039
ProductName : Google Desktop
CompanyName : Google
FileDescription : Google Desktop
InternalName : Google Desktop
LegalCopyright : Copyright © 2003-2006 Google. All Rights Reserved.
#:40 [ymsgr_tray.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ProcessID : 1480
ThreadCreationTime : 20-02-2007 10:20:27 AM
BasePriority : Normal
#:41 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2276
ThreadCreationTime : 20-02-2007 10:20:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:42 [generic.exe]
FilePath : C:\Program Files\Common Files\Teleca Shared\
ProcessID : 2488
ThreadCreationTime : 20-02-2007 10:20:43 AM
BasePriority : Normal
FileVersion : 1, 0, 3, 2
ProductVersion : 1, 0, 3, 2
ProductName : Device Management
CompanyName : Teleca Software Solutions
FileDescription : Generic Device Management Executable.
InternalName : Generic.exe
LegalCopyright : © Teleca Software Solutions. All rights reserved.
OriginalFilename : Generic.exe
Comments : Teleca main line.
#:43 [epmworker.exe]
FilePath : C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\
ProcessID : 2588
ThreadCreationTime : 20-02-2007 10:20:45 AM
BasePriority : Normal
FileVersion : 1, 2, 0,1183
ProductVersion : 1,3,0,2
ProductName : CAPI_Worker Module
CompanyName : Sony Ericsson Mobile Communications AB
FileDescription : CAPI_Worker Module
InternalName : CAPI_Worker
LegalCopyright : Copyright © 2005 Popwire AB. All rights reserved.
OriginalFilename : EPMWorker.EXE
#:44 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3972
ThreadCreationTime : 20-02-2007 1:02:26 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:45 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1508
ThreadCreationTime : 20-02-2007 1:31:02 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 35
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.Trojandownloader.Zlob Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : vsenchancer.chl
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 36
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 36
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 36
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>
Here is my Hijackthis Log of today (2007-02-20)
Logfile of HijackThis v1.99.1
Scan saved at 6:40:31 PM, on 20/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\User\Desktop\Virus_Removal_CastleCops\HijackThis.exe
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
Please help and advice.
Regards,
Yps
Full Version: Win32.Trojandownloader.Zlob - Infected my machine
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Ad-Aware SE Resolved/Inactive Issues
You are infected with the fake codec trojan (aka zlob, aka trojan.flush, aka wareout, aka kedr).
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
QUOTE(Ai_Tak @ Feb 21 2007, 09:04 AM) 
You are infected with the fake codec trojan (aka zlob, aka trojan.flush, aka wareout, aka kedr).
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
Here is a tool that can deal with the fake codec trojan most of the time:
http://downloads.subratam.org/Fixwareout.exe
Post the log from it.
Thanks for your help. Here is the log. Now what do I do?
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdcjw.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustotal.com/en/indexx.html
»»»»» Other
C:\WINDOWS\Temp\kdcjw.ren 63276 04/08/2004
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE
C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE
C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PCTVOICE"="pctspk.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SpeedOptimizer"="C:\\PROGRA~1\\SPEEDO~1\\SPO.EXE -s "
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\4608\\SiteAdv.exe"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"CTSyncU.exe"="\"C:\\Program Files\\Creative\\Sync Manager Unicode\\CTSyncU.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Regards,
Yps
Edit: attempted to unmangle this log
QUOTE(Ai_Tak @ Feb 22 2007, 01:18 AM)
Here is the result text.
Complete scanning result of "kdcjw.ren", received in VirusTotal at 02.22.2007, 15:24:47 (CET).
Antivirus Version Update Result
AntiVir 7.3.1.38 02.22.2007 TR/Dldr.DNSChanger.Gen
Authentium 4.93.8 02.21.2007 no virus found
Avast 4.7.936.0 02.22.2007 Win32:DNSChanger-BA
AVG 386 02.22.2007 no virus found
BitDefender 7.2 02.22.2007 no virus found
CAT-QuickHeal 9.00 02.21.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 02.22.2007 no virus found
DrWeb 4.33 02.22.2007 no virus found
eSafe 7.0.14.0 02.22.2007 no virus found
eTrust-Vet 30.4.3420 02.22.2007 no virus found
Ewido 4.0 02.22.2007 no virus found
FileAdvisor 1 02.22.2007 no virus found
Fortinet 2.85.0.0 02.22.2007 suspicious
F-Prot 4.3.1.45 02.22.2007 no virus found
F-Secure 6.70.13030.0 02.22.2007 no virus found
Ikarus T3.1.0.31 02.22.2007 no virus found
Kaspersky 4.0.2.24 02.22.2007 no virus found
McAfee 4968 02.21.2007 no virus found
Microsoft 1.2204 02.22.2007 no virus found
NOD32v2 2075 02.22.2007 no virus found
Norman 5.80.02 02.22.2007 no virus found
Panda 9.0.0.4 02.22.2007 Trj/dmRandom.GV
Prevx1 V2 02.22.2007 no virus found
Sophos 4.14.0 02.21.2007 no virus found
Sunbelt 2.2.907.0 02.22.2007 VIPRE.Suspicious
Symantec 10 02.22.2007 no virus found
TheHacker 6.1.6.062 02.21.2007 no virus found
UNA 1.83 02.21.2007 no virus found
VBA32 3.11.2 02.21.2007 suspected of Trojan-PSW.Pinch.96 (paranoid heuristics)
VirusBuster 4.3.19:9 02.22.2007 no virus found
Aditional Information
File size: 63276 bytes
MD5: 42912c58d1a8582c064dc0e432f49e97
SHA1: bed9e181724f8c075cee9a1613cc1f707f6b5c17
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Now what?
Regards,
Yps
Remove these entires with hijackthis:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
Update ad-aware and run a full scan and post the log.
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
Update ad-aware and run a full scan and post the log.
QUOTE(Ai_Tak @ Feb 27 2007, 05:08 AM)
Remove these entires with hijackthis:
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
Update ad-aware and run a full scan and post the log.
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.114 85.255.112.148
Update ad-aware and run a full scan and post the log.
Hi,
Here is my Hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 9:41:42 PM, on 27/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\SiteAdvisor\4608\SAService.exe
C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\Virus_Removal_CastleCops\HijackThis.exe
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpeedOptimizer] C:\PROGRA~1\SPEEDO~1\SPO.EXE -s
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\4608\SiteAdv.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.1.18
O17 - HKLM\System\CS1\Services\Tcpip\..\{7EE20FD1-2AA3-4386-9DC2-00F0344059AC}: NameServer = 202.54.29.5 202.54.1.18
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\4608\SiteAdv.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\4608\SAService.exe
How do I update Adaware? I already did couple of days back.
I have 1.06R1. Ad-aware Personal.
Please send me the specific link if any.
Rgds,
Yps
Update ad-aware by clicking the "Check for updates now" text right above the start button on the status page.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.