Coolwebsearch Infection

TheMSsForum.com: The Microsoft Software Forum

Hi,

Hope someone can help. Recently had my PC infected with a version of coolwebsearch trojan. I've ran CWShreader which found and deleted it, and then ran AdAware 6 and Spybot to remove any remaining traces, but it keeps re-installing it'self everytime I connect to IE explorer. Anyone have any ideas as it's really annoying. All software tools used are up to date as is my Microsoft patching, I've attached a copy of my adaware scan results below in case it helps.

Many Thanks
Craig


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :26 June 2004 07:50:40 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R324 22.06.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


26-06-2004 07:50:40 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 26-06-2004 06:47:33 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:44 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:45 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:48:18 AM
Last modified : 23/08/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:45 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:48:18 AM
Last modified : 29/08/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:46 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:48:18 AM
Last modified : 23/08/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 06:47:46 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:48:18 AM
Last modified : 23/08/2001 12:00:00 PM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:49 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 05:53:46 AM
Last modified : 23/08/2001 12:00:00 PM

#:8 [cisvc.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 06:47:50 AM
BasePriority : Normal
FileSize : 5 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Content Index service
InternalName : cisvc.exe
OriginalFilename : cisvc.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:38:40 AM
Last modified : 23/08/2001 12:00:00 PM

#:9 [cvpnd.exe]
FilePath : C:\Program Files\Cisco Systems\VPN Client\
ThreadCreationTime : 26-06-2004 06:47:50 AM
BasePriority : Normal
FileSize : 1387 KB
FileVersion : 4.0.2 (D)
ProductVersion : 4.0.2 (D)
Copyright : Copyright
CompanyName : Cisco Systems, Inc.
FileDescription : Cisco Systems VPN Client
InternalName : cvpnd
OriginalFilename : CVPND.EXE
ProductName : Cisco Systems VPN Client
Created on : 13/10/2003 10:09:15 PM
Last accessed : 26/06/2004 06:49:30 AM
Last modified : 25/08/2003 03:41:30 PM

#:10 [dkservice.exe]
FilePath : C:\Program Files\Executive Software\DiskeeperServer\
ThreadCreationTime : 26-06-2004 06:47:51 AM
BasePriority : Normal
FileSize : 248 KB
FileVersion : 7.0.393.0
ProductVersion : 7.0.393.0
CompanyName : Executive Software International, Inc.
FileDescription : DKSERVICE.EXE
InternalName : DKSERVICE
OriginalFilename : DKSERVICE
ProductName : Diskeeper (TM) Disk Defragmenter
Created on : 31/08/2001 02:23:12 PM
Last accessed : 26/06/2004 05:53:46 AM
Last modified : 31/08/2001 02:23:12 PM

#:11 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ThreadCreationTime : 26-06-2004 06:47:51 AM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1, 2, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright (C) SEIKO EPSON CORP. 2000
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
OriginalFilename : SAgent2.exe
ProductName : EPSON Bidirectional Printer
Created on : 14/12/2001 12:10:37 PM
Last accessed : 26/06/2004 05:53:47 AM
Last modified : 17/11/2000 01:02:00 AM

#:12 [gearsec.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:51 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
OriginalFilename : gearsec.exe
ProductName : gearsec
Created on : 12/12/2003 05:32:29 PM
Last accessed : 26/06/2004 06:38:40 AM
Last modified : 12/12/2003 05:32:29 PM

#:13 [ghosts~2.exe]
FilePath : D:\PROGRA~1\Symantec\NORTON~1\
ThreadCreationTime : 26-06-2004 06:47:52 AM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 2003.775
ProductVersion : 2003.775
Copyright : Copyright (C) 1998-2002 Symantec Corp. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton Ghost Start
InternalName : GhostStartService
OriginalFilename : GhostStartService.exe
ProductName : Norton Ghost Start Service

#:14 [inorpc.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ThreadCreationTime : 26-06-2004 06:47:52 AM
BasePriority : Normal
FileSize : 136 KB
FileVersion : 7.1.192.0
ProductVersion : 7.1.192.0
Copyright : Copyright 2004 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoRpc.exe
OriginalFilename : InoRpc.exe
ProductName : eTrust Antivirus
Created on : 06/04/2004 04:13:54 PM
Last accessed : 26/06/2004 05:53:51 AM
Last modified : 06/04/2004 04:13:54 PM

#:15 [inort.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ThreadCreationTime : 26-06-2004 06:47:54 AM
BasePriority : Normal
FileSize : 236 KB
FileVersion : 7.1.192.0
ProductVersion : 7.1.192.0
Copyright : Copyright 2004 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoRT.dll
OriginalFilename : InoRT.dll
ProductName : eTrust Antivirus
Created on : 06/04/2004 04:13:56 PM
Last accessed : 26/06/2004 05:53:51 AM
Last modified : 06/04/2004 04:13:56 PM

#:16 [inotask.exe]
FilePath : C:\Program Files\CA\eTrust\Antivirus\
ThreadCreationTime : 26-06-2004 06:47:54 AM
BasePriority : Normal
FileSize : 248 KB
FileVersion : 7.1.192.0
ProductVersion : 7.1.192.0
Copyright : Copyright 2004 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : InoTask.exe
OriginalFilename : InoTask.exe
ProductName : eTrust Antivirus
Created on : 06/04/2004 04:14:10 PM
Last accessed : 26/06/2004 06:04:55 AM
Last modified : 06/04/2004 04:14:10 PM

#:17 [appservices.exe]
FilePath : C:\PROGRA~1\Iomega\System32\
ThreadCreationTime : 26-06-2004 06:47:56 AM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 2, 0, 2, 5
ProductVersion : 2, 0, 2, 5
Copyright : Copyright
CompanyName : Iomega Corporation
FileDescription : AppServices
InternalName : AppServices
OriginalFilename : AppService.exe
ProductName : Iomega App Services
Created on : 04/09/2002 02:36:50 PM
Last accessed : 26/06/2004 05:53:52 AM
Last modified : 04/09/2002 02:11:04 PM

#:18 [logwatnt.exe]
FilePath : C:\CA_LIC\
ThreadCreationTime : 26-06-2004 06:47:56 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.52
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Computer Associates
FileDescription : LogWatNT
InternalName : LogWatNT
OriginalFilename : LogWatNT.exe
ProductName : Computer Associates LogWatNT
Created on : 20/09/2002 04:29:28 PM
Last accessed : 26/06/2004 05:53:52 AM
Last modified : 20/09/2002 04:29:28 PM

#:19 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 06:47:56 AM
BasePriority : Normal
FileSize : 80 KB
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 52.16
Created on : 06/10/2003 02:16:00 PM
Last accessed : 26/06/2004 05:53:52 AM
Last modified : 06/10/2003 02:16:00 PM

#:20 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 06:47:56 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 23/08/2001 12:00:00 PM
Last accessed : 26/06/2004 06:48:18 AM
Last modified : 23/08/2001 12:00:00 PM

#:21 [vmware-authd.exe]
FilePath : C:\Program Files\VMware\VMware Workstation\Programs\
ThreadCreationTime : 26-06-2004 06:47:56 AM
BasePriority : Normal
FileSize : 176 KB
Created on : 09/09/2002 07:20:12 PM
Last accessed : 26/06/2004 05:53:53 AM
Last modified : 09/09/2002 07:20:12 PM

#:22 [vmnetdhcp.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 26-06-2004 06:47:57 AM
BasePriority : Normal
FileSize : 140 KB
FileVersion : 3.2.0 $Name: build-2230 $
ProductVersion : 3.2.0 $Name: build-2230 $
Copyright : Copyright
CompanyName : VMware, Inc.
FileDescription : VMnet DHCP Service
InternalName : VMnetDHCP
OriginalFilename : VMnetDHCP.exe
ProductName : VMware Workstation
Created on : 09/09/2002 07:17:46 PM
Last accessed : 26/06/2004 06:38:40 AM
Last modified : 09/09/2002 07:17:46 PM

#:23 [vmnat.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:47:57 AM
BasePriority : Normal
FileSize : 112 KB
Created on : 09/09/2002 07:20:54 PM
Last accessed : 26/06/2004 05:53:53 AM
Last modified : 09/09/2002 07:20:54 PM

#:24 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 26-06-2004 06:47:59 AM
BasePriority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 24/08/2003 09:02:11 PM
Last accessed : 26/06/2004 06:47:59 AM
Last modified : 17/05/2004 03:55:26 AM

#:25 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 26-06-2004 06:48:10 AM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 11/05/2003 08:12:10 PM
Last accessed : 26/06/2004 06:49:23 AM
Last modified : 11/05/2003 08:12:10 PM

#:26 [dragdiag.exe]
FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
ThreadCreationTime : 26-06-2004 06:49:08 AM
BasePriority : Normal
FileSize : 840 KB
FileVersion : 201.2.0.0
ProductVersion : 201.2.0.0
Copyright : Copyright
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
ProductName : SpeedTouch USB
Created on : 28/07/2002 03:07:21 PM
Last accessed : 26/06/2004 06:49:09 AM
Last modified : 12/11/2002 10:02:08 AM

#:27 [realmon.exe]
FilePath : C:\PROGRA~1\CA\eTrust\ANTIVI~1\
ThreadCreationTime : 26-06-2004 06:49:09 AM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 7.1.192.0
ProductVersion : 7.1.192.0
Copyright : Copyright 2004 Computer Associates International, Inc.
CompanyName : Computer Associates International, Inc.
InternalName : Realmon.exe
OriginalFilename : Realmon.exe
ProductName : eTrust Antivirus
Created on : 06/04/2004 04:14:48 PM
Last accessed : 26/06/2004 06:49:10 AM
Last modified : 06/04/2004 04:14:48 PM

#:28 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 26-06-2004 06:49:09 AM
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 10/02/2004 12:17:51 AM
Last accessed : 26/06/2004 06:49:09 AM
Last modified : 05/05/2004 09:49:54 PM

#:29 [zlclient.exe]
FilePath : C:\Program Files\zafiles\Zone Labs\ZoneAlarm\
ThreadCreationTime : 26-06-2004 06:49:09 AM
BasePriority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 24/12/2003 12:23:57 AM
Last accessed : 26/06/2004 06:49:16 AM
Last modified : 17/05/2004 03:56:14 AM

#:30 [d3rk32.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:49:10 AM
BasePriority : Normal
FileSize : 26 KB
Created on : 27/05/2004 04:39:18 PM
Last accessed : 26/06/2004 06:49:10 AM
Last modified : 27/05/2004 04:39:18 PM

#:31 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 26-06-2004 06:49:10 AM
BasePriority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0137
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 28/05/2004 02:22:04 PM
Last accessed : 26/06/2004 06:49:17 AM
Last modified : 28/05/2004 02:22:04 PM

#:32 [psfree.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~2\
ThreadCreationTime : 26-06-2004 06:49:10 AM
BasePriority : Normal
FileSize : 512 KB
FileVersion : 3, 1, 0, 1012
ProductVersion : 1, 0, 0, 1
Copyright : Copyright (C) 2002-2003
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Free Edition
InternalName : Pop-Up Stopper Free Edition
OriginalFilename : PSFree.exe
ProductName : Pop-Up Stopper Free Edition
Created on : 16/01/2004 11:35:30 PM
Last accessed : 26/06/2004 06:49:16 AM
Last modified : 29/10/2003 11:01:02 AM

#:33 [wcescomm.exe]
FilePath : C:\Program Files\Microsoft ActiveSync\
ThreadCreationTime : 26-06-2004 06:49:11 AM
BasePriority : Normal
FileSize : 368 KB
FileVersion : 3.7.1.3244
ProductVersion : 3.7.3244
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Connection Manager
InternalName : wcescomm
OriginalFilename : WCESCOMM.EXE
ProductName : Microsoft ActiveSync
Created on : 09/03/2002 11:16:01 PM
Last accessed : 26/06/2004 06:49:17 AM
Last modified : 01/09/2003 06:52:42 PM

#:34 [crzt.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 26-06-2004 06:50:03 AM
BasePriority : Normal
FileSize : 9 KB
Created on : 25/06/2004 07:41:18 AM
Last accessed : 26/06/2004 06:50:03 AM
Last modified : 25/06/2004 07:41:18 AM
Warning! CoolWebSearch object found in memory(C:\WINDOWS\system32\crzt.exe)

CoolWebSearch Object recognized!
Type : Process
Data : crzt.exe
Object : C:\WINDOWS\system32\
FileSize : 9 KB
Created on : 25/06/2004 07:41:18 AM
Last accessed : 26/06/2004 06:50:03 AM
Last modified : 25/06/2004 07:41:18 AM


Warning! "crzt.exe"Process could not be terminated!

#:35 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 26-06-2004 06:50:32 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 19/02/2003 12:18:25 AM
Last accessed : 26/06/2004 06:50:33 AM
Last modified : 12/07/2003 09:00:20 PM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://jcirb.dll/index.html#35759"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://jcirb.dll/index.html#35759"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Page.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://jcirb.dll/index.html#35759"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "res://jcirb.dll/index.html#35759"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Page_URL.dll/index.html

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "res://jcirb.dll/index.html#35759"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Page_URL
Data : "res://jcirb.dll/index.html#35759"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 4


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

CoolWebSearch Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SYSTEM\CurrentControlSet\Services\__NS_Service_3


Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 5


07:54:09 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:03:28:406
Objects scanned :52452
Objects identified :5
Objects ignored :0
New objects :5
Top

Re: Coolwebsearch Infection by Sandi

Sandi
Sat Jun 26 04:59:14 CDT 2004

Craig,

After you follow the advice below, if you are still having trouble THEN post
a hijackthis log.

There are many people who have helped this FAQ improve over time - MVPs and
newsgroup users. I thank all of you who have made the newsgroups,
anti-malware websites and dedicated mailing lists into such a wonderful
resource.

Read the advice at my prevention link
(http://inetexplorer.mvps.org/data/prevention.htm) to reduce the chances of
your computer being infected.

IMPORTANT: Before trying to remove spyware, download a copy of LSPFIX from
the URL below - some malware can kill your internet connection when it is
removed, and this software should get things going for you again:
http://www.cexx.org/lspfix.htm

Also get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html

The software you should download and have ready to use is:

AdAware - www.lavasoft.de [..Warning: AdAware is now version 6.181. All
previous versions are NO LONGER SUPPORTED and will not be updated...]

Spybot Search and Destroy - http://spybot.eon.net.au

HijackThis - http://209.133.47.12/~merijn/files/HijackThis.exe

CWShredder - http://www.merijn.org/files/CWShredder.exe

IMPORTANT: After obtaining the required software above, make sure you check
for updates and run the programmes in safe mode.

Malware removal (beginner's guide):

First, go to Control Panel, add/remove programs. Check for malware entries
and use the uninstall programs, then reboot.

Go to start/run and type MSCONFIG. Go to the startup tab. Disable
everything that you do not recognise as legitimate (do not disable any power
profile options).

Now go to the Services tab. Turn on the option to 'hide all Microsoft
Services'. Disable everything that remains. If you don't have this option,
don't worry about it.

Reboot your computer and hold down the F8 key until the boot menu options
appear. Choose Safe Mode as your startup choice. You will find
information about what safe mode is, and what it does, at this link
[http://inetexplorer.mvps.org/data/safe_mode.htm]

[...Information about safe mode...By starting in safe mode, you are
disabling startup programmes and 'non-essential' services. Note that some
hardware, such as USB devices, audio devices and IEEE 1394 devices will not
work properly, or at all, in safe mode. Services that WILL load in safe mode
are listed at the following registry keys:

Safe mode
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SafeBoot \Minimal

Safe mode with networking
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \SafeBoot \Network
...]


Start CWSHREDDER. Update it, and fix anything it finds. Reboot back into
safe mode.

Start AdAware. Use the 'check for updates now' option. After you have
updated, click 'start'.

Note that when run using default settings, AdAware does not cope with new
'intelligent' malware. Make the following changes to the default settings.

Use the option 'select drives/folders to scan'. Set AdAware to scan your
entire hard drive.

Make sure 'activate in depth scan' is enabled.

Select 'use custom scanning options' and then click on the 'customize'
button. Turn on the following scan options - scan within archives, scan
active processes, scan registry, deep registry scan, scan [my] IE favorites
for banned URLs, and scan [my] hosts file.

Use the 'tweak' button. Turn on the following options:

Cleaning engine: 'automatically try to unregister objects prior to
deletion', 'let windows remove files in use at next reboot', 'delete
quarantined objects after restoring'.

Scanning engine: 'unload recognized processes during scan'.

After you have finished with AdAware run Spybot to pick up any leftovers.
Fix anything marked in red. Again, don't forget to check for updates.

Also do the following:

Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those folders.

Go to IE Tools, Internet Options, Temporary Internet Files {Settings
Button}, View Objects, Downloaded Program Files. Check for unrecognised
objects there.

Go to IE Tools, Internet Options, Accessibility. Make sure there is no style
sheet chosen (under User Style Sheet - format documents using my style
sheet). If the option is turned on, turn it OFF.

If the problem comes back, start all over again but with the following
changes (this section requires advanced computer skills - inexperienced
users will require assistance):

Examine win.ini using MSCONFIG to see what is loading. You may find
something there. Go to MSCONFIG and go to the General tab. Turn off
process win.ini file, load system services and load startup items. Restart
Windows and run AdAware etc once more.

Use services.msc to see what is running. Some malware is now registering
itself as a Service. The problem is working out what is legitimate and what
is not.

I strongly recommend that unless you have strong experience working in this
area that until such time as I am able to track down a comprehensive list of
legitimate services (or put one together myself), that you post details of
the services revealed by services.msc to a microsoft.public newsgroup for
professional guidance. If you turn off the wrong service you could cause
serious problems, and at the very worst, leave the computer unbootable.

An experienced computer technician can use programme such as AutoStart
Viewer for in-depth diagnosis:
http://www.diamondcs.com.au/index.php?page=asviewer

Another excellent programme for the experienced user is APM (Advanced
Process Manipulation), available at:
http://www.diamondcs.com.au/index.php?page=apm

Once the computer is clean, and if it applies to the operating system,
create a new restore point. The old ones may, of course, be infected with
the malware and therefore cannot be used. Run disk cleanup to remove old
restore points (if your operating system has this option you will find it on
the 'more options' tab of the disk cleanup utility. If the option to remove
old restore points is not available, stop and restart the restore service
which will flush out old restore points and prevent accidental reloading of
malware.

MS have released a limited KB article regarding what they call 'deceptive
software'.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;827315

Here is advice specific to:

home page hijackings
http://inetexplorer.mvps.org/answers.htm#home_page

pop-up ads
http://inetexplorer.mvps.org/data/popup.htm

search engine hijackings
http://inetexplorer.mvps.org/answers4.htm#search_engine


--
Hyperlinks are used to ensure advice remains current
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://inetexplorer.mvps.org/




Craig wrote:
> Hi,
>
> Hope someone can help. Recently had my PC infected with a version of
> coolwebsearch trojan. I've ran CWShreader which found and deleted it,
> and then ran AdAware 6 and Spybot to remove any remaining traces, but
> it keeps re-installing it'self everytime I connect to IE explorer.
> Anyone have any ideas as it's really annoying. All software tools
> used are up to date as is my Microsoft patching, I've attached a copy
> of my adaware scan results below in case it helps.
>
> Many Thanks
> Craig
>
>
> Lavasoft Ad-aware Personal Build 6.181
> Logfile created on :26 June 2004 07:50:40 AM
> Created with Ad-aware Personal, free for private use.
> Using reference-file :01R324 22.06.2004
> ______________________________________________________
>
> Ad-aware Settings
> =========================
> Set : Activate in-depth scan (Recommended)
> Set : Safe mode (always request confirmation)
> Set : Scan active processes
> Set : Scan registry
> Set : Deep scan registry
> Set : Scan my IE Favorites for banned URLs
> Set : Scan within archives
> Set : Scan my Hosts file
>
>
> 26-06-2004 07:50:40 AM - Scan started. (Smart mode)
>
> Listing running processes
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
>
> #:1 [smss.exe]
> FilePath : \SystemRoot\System32\
> ThreadCreationTime : 26-06-2004 06:47:33 AM
> BasePriority : Normal
>
>
> #:2 [winlogon.exe]
> FilePath : \??\C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:44 AM
> BasePriority : High
>
>
> #:3 [services.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:45 AM
> BasePriority : Normal
> FileSize : 99 KB
> FileVersion : 5.1.2600.0 (xpclient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Services and Controller app
> InternalName : services.exe
> OriginalFilename : services.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:48:18 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:4 [lsass.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:45 AM
> BasePriority : Normal
> FileSize : 11 KB
> FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
> ProductVersion : 5.1.2600.1106
> CompanyName : Microsoft Corporation
> FileDescription : LSA Shell (Export Version)
> InternalName : lsass.exe
> OriginalFilename : lsass.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:48:18 AM
> Last modified : 29/08/2002 10:41:26 AM
>
> #:5 [svchost.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:46 AM
> BasePriority : Normal
> FileSize : 12 KB
> FileVersion : 5.1.2600.0 (xpclient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Generic Host Process for Win32 Services
> InternalName : svchost.exe
> OriginalFilename : svchost.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:48:18 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:6 [svchost.exe]
> FilePath : C:\WINDOWS\System32\
> ThreadCreationTime : 26-06-2004 06:47:46 AM
> BasePriority : Normal
> FileSize : 12 KB
> FileVersion : 5.1.2600.0 (xpclient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Generic Host Process for Win32 Services
> InternalName : svchost.exe
> OriginalFilename : svchost.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:48:18 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:7 [spoolsv.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:49 AM
> BasePriority : Normal
> FileSize : 50 KB
> FileVersion : 5.1.2600.0 (XPClient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Spooler SubSystem App
> InternalName : spoolsv.exe
> OriginalFilename : spoolsv.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 05:53:46 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:8 [cisvc.exe]
> FilePath : C:\WINDOWS\System32\
> ThreadCreationTime : 26-06-2004 06:47:50 AM
> BasePriority : Normal
> FileSize : 5 KB
> FileVersion : 5.1.2600.0 (xpclient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Content Index service
> InternalName : cisvc.exe
> OriginalFilename : cisvc.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:38:40 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:9 [cvpnd.exe]
> FilePath : C:\Program Files\Cisco Systems\VPN Client\
> ThreadCreationTime : 26-06-2004 06:47:50 AM
> BasePriority : Normal
> FileSize : 1387 KB
> FileVersion : 4.0.2 (D)
> ProductVersion : 4.0.2 (D)
> Copyright : Copyright
> CompanyName : Cisco Systems, Inc.
> FileDescription : Cisco Systems VPN Client
> InternalName : cvpnd
> OriginalFilename : CVPND.EXE
> ProductName : Cisco Systems VPN Client
> Created on : 13/10/2003 10:09:15 PM
> Last accessed : 26/06/2004 06:49:30 AM
> Last modified : 25/08/2003 03:41:30 PM
>
> #:10 [dkservice.exe]
> FilePath : C:\Program Files\Executive
> Software\DiskeeperServer\ ThreadCreationTime : 26-06-2004 06:47:51
> AM BasePriority : Normal
> FileSize : 248 KB
> FileVersion : 7.0.393.0
> ProductVersion : 7.0.393.0
> CompanyName : Executive Software International, Inc.
> FileDescription : DKSERVICE.EXE
> InternalName : DKSERVICE
> OriginalFilename : DKSERVICE
> ProductName : Diskeeper (TM) Disk Defragmenter
> Created on : 31/08/2001 02:23:12 PM
> Last accessed : 26/06/2004 05:53:46 AM
> Last modified : 31/08/2001 02:23:12 PM
>
> #:11 [sagent2.exe]
> FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
> ThreadCreationTime : 26-06-2004 06:47:51 AM
> BasePriority : Normal
> FileSize : 112 KB
> FileVersion : 1, 2, 0, 0
> ProductVersion : 1, 0, 0, 0
> Copyright : Copyright (C) SEIKO EPSON CORP. 2000
> CompanyName : SEIKO EPSON CORPORATION
> FileDescription : EPSON Printer Status Agent
> InternalName : SAgent2
> OriginalFilename : SAgent2.exe
> ProductName : EPSON Bidirectional Printer
> Created on : 14/12/2001 12:10:37 PM
> Last accessed : 26/06/2004 05:53:47 AM
> Last modified : 17/11/2000 01:02:00 AM
>
> #:12 [gearsec.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:51 AM
> BasePriority : Normal
> FileSize : 48 KB
> FileVersion : 1, 0, 0, 3
> ProductVersion : 1, 0, 0, 3
> Copyright : Copyright
> CompanyName : GEAR Software
> FileDescription : gearsec
> InternalName : gearsec
> OriginalFilename : gearsec.exe
> ProductName : gearsec
> Created on : 12/12/2003 05:32:29 PM
> Last accessed : 26/06/2004 06:38:40 AM
> Last modified : 12/12/2003 05:32:29 PM
>
> #:13 [ghosts~2.exe]
> FilePath : D:\PROGRA~1\Symantec\NORTON~1\
> ThreadCreationTime : 26-06-2004 06:47:52 AM
> BasePriority : Normal
> FileSize : 196 KB
> FileVersion : 2003.775
> ProductVersion : 2003.775
> Copyright : Copyright (C) 1998-2002 Symantec Corp. All
> rights reserved. CompanyName : Symantec Corporation
> FileDescription : Norton Ghost Start
> InternalName : GhostStartService
> OriginalFilename : GhostStartService.exe
> ProductName : Norton Ghost Start Service
>
> #:14 [inorpc.exe]
> FilePath : C:\Program Files\CA\eTrust\Antivirus\
> ThreadCreationTime : 26-06-2004 06:47:52 AM
> BasePriority : Normal
> FileSize : 136 KB
> FileVersion : 7.1.192.0
> ProductVersion : 7.1.192.0
> Copyright : Copyright 2004 Computer Associates
> International, Inc. CompanyName : Computer Associates
> International, Inc. InternalName : InoRpc.exe
> OriginalFilename : InoRpc.exe
> ProductName : eTrust Antivirus
> Created on : 06/04/2004 04:13:54 PM
> Last accessed : 26/06/2004 05:53:51 AM
> Last modified : 06/04/2004 04:13:54 PM
>
> #:15 [inort.exe]
> FilePath : C:\Program Files\CA\eTrust\Antivirus\
> ThreadCreationTime : 26-06-2004 06:47:54 AM
> BasePriority : Normal
> FileSize : 236 KB
> FileVersion : 7.1.192.0
> ProductVersion : 7.1.192.0
> Copyright : Copyright 2004 Computer Associates
> International, Inc. CompanyName : Computer Associates
> International, Inc. InternalName : InoRT.dll
> OriginalFilename : InoRT.dll
> ProductName : eTrust Antivirus
> Created on : 06/04/2004 04:13:56 PM
> Last accessed : 26/06/2004 05:53:51 AM
> Last modified : 06/04/2004 04:13:56 PM
>
> #:16 [inotask.exe]
> FilePath : C:\Program Files\CA\eTrust\Antivirus\
> ThreadCreationTime : 26-06-2004 06:47:54 AM
> BasePriority : Normal
> FileSize : 248 KB
> FileVersion : 7.1.192.0
> ProductVersion : 7.1.192.0
> Copyright : Copyright 2004 Computer Associates
> International, Inc. CompanyName : Computer Associates
> International, Inc. InternalName : InoTask.exe
> OriginalFilename : InoTask.exe
> ProductName : eTrust Antivirus
> Created on : 06/04/2004 04:14:10 PM
> Last accessed : 26/06/2004 06:04:55 AM
> Last modified : 06/04/2004 04:14:10 PM
>
> #:17 [appservices.exe]
> FilePath : C:\PROGRA~1\Iomega\System32\
> ThreadCreationTime : 26-06-2004 06:47:56 AM
> BasePriority : Normal
> FileSize : 72 KB
> FileVersion : 2, 0, 2, 5
> ProductVersion : 2, 0, 2, 5
> Copyright : Copyright
> CompanyName : Iomega Corporation
> FileDescription : AppServices
> InternalName : AppServices
> OriginalFilename : AppService.exe
> ProductName : Iomega App Services
> Created on : 04/09/2002 02:36:50 PM
> Last accessed : 26/06/2004 05:53:52 AM
> Last modified : 04/09/2002 02:11:04 PM
>
> #:18 [logwatnt.exe]
> FilePath : C:\CA_LIC\
> ThreadCreationTime : 26-06-2004 06:47:56 AM
> BasePriority : Normal
> FileSize : 52 KB
> FileVersion : 1.52
> ProductVersion : 1, 0, 0, 1
> Copyright : Copyright
> CompanyName : Computer Associates
> FileDescription : LogWatNT
> InternalName : LogWatNT
> OriginalFilename : LogWatNT.exe
> ProductName : Computer Associates LogWatNT
> Created on : 20/09/2002 04:29:28 PM
> Last accessed : 26/06/2004 05:53:52 AM
> Last modified : 20/09/2002 04:29:28 PM
>
> #:19 [nvsvc32.exe]
> FilePath : C:\WINDOWS\System32\
> ThreadCreationTime : 26-06-2004 06:47:56 AM
> BasePriority : Normal
> FileSize : 80 KB
> FileVersion : 6.14.10.5216
> ProductVersion : 6.14.10.5216
> Copyright : (C) NVIDIA Corporation. All rights reserved.
> CompanyName : NVIDIA Corporation
> FileDescription : NVIDIA Driver Helper Service, Version 52.16
> InternalName : NVSVC
> OriginalFilename : nvsvc32.exe
> ProductName : NVIDIA Driver Helper Service, Version 52.16
> Created on : 06/10/2003 02:16:00 PM
> Last accessed : 26/06/2004 05:53:52 AM
> Last modified : 06/10/2003 02:16:00 PM
>
> #:20 [svchost.exe]
> FilePath : C:\WINDOWS\System32\
> ThreadCreationTime : 26-06-2004 06:47:56 AM
> BasePriority : Normal
> FileSize : 12 KB
> FileVersion : 5.1.2600.0 (xpclient.010817-1148)
> ProductVersion : 5.1.2600.0
> CompanyName : Microsoft Corporation
> FileDescription : Generic Host Process for Win32 Services
> InternalName : svchost.exe
> OriginalFilename : svchost.exe
> ProductName : Microsoft
> Created on : 23/08/2001 12:00:00 PM
> Last accessed : 26/06/2004 06:48:18 AM
> Last modified : 23/08/2001 12:00:00 PM
>
> #:21 [vmware-authd.exe]
> FilePath : C:\Program Files\VMware\VMware
> Workstation\Programs\ ThreadCreationTime : 26-06-2004 06:47:56 AM
> BasePriority : Normal
> FileSize : 176 KB
> Created on : 09/09/2002 07:20:12 PM
> Last accessed : 26/06/2004 05:53:53 AM
> Last modified : 09/09/2002 07:20:12 PM
>
> #:22 [vmnetdhcp.exe]
> FilePath : C:\WINDOWS\System32\
> ThreadCreationTime : 26-06-2004 06:47:57 AM
> BasePriority : Normal
> FileSize : 140 KB
> FileVersion : 3.2.0 $Name: build-2230 $
> ProductVersion : 3.2.0 $Name: build-2230 $
> Copyright : Copyright
> CompanyName : VMware, Inc.
> FileDescription : VMnet DHCP Service
> InternalName : VMnetDHCP
> OriginalFilename : VMnetDHCP.exe
> ProductName : VMware Workstation
> Created on : 09/09/2002 07:17:46 PM
> Last accessed : 26/06/2004 06:38:40 AM
> Last modified : 09/09/2002 07:17:46 PM
>
> #:23 [vmnat.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:47:57 AM
> BasePriority : Normal
> FileSize : 112 KB
> Created on : 09/09/2002 07:20:54 PM
> Last accessed : 26/06/2004 05:53:53 AM
> Last modified : 09/09/2002 07:20:54 PM
>
> #:24 [vsmon.exe]
> FilePath : C:\WINDOWS\system32\ZoneLabs\
> ThreadCreationTime : 26-06-2004 06:47:59 AM
> BasePriority : Normal
> FileSize : 893 KB
> FileVersion : 5.0.590.015
> ProductVersion : 5.0.590.015
> Copyright : Copyright
> CompanyName : Zone Labs Inc.
> FileDescription : TrueVector Service
> InternalName : vsmon
> OriginalFilename : vsmon.exe
> ProductName : TrueVector Service
> Created on : 24/08/2003 09:02:11 PM
> Last accessed : 26/06/2004 06:47:59 AM
> Last modified : 17/05/2004 03:55:26 AM
>
> #:25 [explorer.exe]
> FilePath : C:\WINDOWS\
> ThreadCreationTime : 26-06-2004 06:48:10 AM
> BasePriority : Normal
> FileSize : 973 KB
> FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
> ProductVersion : 6.00.2800.1221
> CompanyName : Microsoft Corporation
> FileDescription : Windows Explorer
> InternalName : explorer
> OriginalFilename : EXPLORER.EXE
> ProductName : Microsoft
> Created on : 11/05/2003 08:12:10 PM
> Last accessed : 26/06/2004 06:49:23 AM
> Last modified : 11/05/2003 08:12:10 PM
>
> #:26 [dragdiag.exe]
> FilePath : C:\Program Files\Alcatel\SpeedTouch USB\
> ThreadCreationTime : 26-06-2004 06:49:08 AM
> BasePriority : Normal
> FileSize : 840 KB
> FileVersion : 201.2.0.0
> ProductVersion : 201.2.0.0
> Copyright : Copyright
> CompanyName : THOMSON multimedia
> FileDescription : SpeedTouch Statistics
> ProductName : SpeedTouch USB
> Created on : 28/07/2002 03:07:21 PM
> Last accessed : 26/06/2004 06:49:09 AM
> Last modified : 12/11/2002 10:02:08 AM
>
> #:27 [realmon.exe]
> FilePath : C:\PROGRA~1\CA\eTrust\ANTIVI~1\
> ThreadCreationTime : 26-06-2004 06:49:09 AM
> BasePriority : Normal
> FileSize : 492 KB
> FileVersion : 7.1.192.0
> ProductVersion : 7.1.192.0
> Copyright : Copyright 2004 Computer Associates
> International, Inc. CompanyName : Computer Associates
> International, Inc. InternalName : Realmon.exe
> OriginalFilename : Realmon.exe
> ProductName : eTrust Antivirus
> Created on : 06/04/2004 04:14:48 PM
> Last accessed : 26/06/2004 06:49:10 AM
> Last modified : 06/04/2004 04:14:48 PM
>
> #:28 [realsched.exe]
> FilePath : C:\Program Files\Common Files\Real\Update_OB\
> ThreadCreationTime : 26-06-2004 06:49:09 AM
> BasePriority : Normal
> FileSize : 176 KB
> FileVersion : 0.1.0.3018
> ProductVersion : 0.1.0.3018
> Copyright : Copyright
> CompanyName : RealNetworks, Inc.
> FileDescription : RealNetworks Scheduler
> InternalName : schedapp
> OriginalFilename : realsched.exe
> ProductName : RealPlayer (32-bit)
> Created on : 10/02/2004 12:17:51 AM
> Last accessed : 26/06/2004 06:49:09 AM
> Last modified : 05/05/2004 09:49:54 PM
>
> #:29 [zlclient.exe]
> FilePath : C:\Program Files\zafiles\Zone Labs\ZoneAlarm\
> ThreadCreationTime : 26-06-2004 06:49:09 AM
> BasePriority : Normal
> FileSize : 681 KB
> FileVersion : 5.0.590.015
> ProductVersion : 5.0.590.015
> Copyright : Copyright
> CompanyName : Zone Labs Inc.
> FileDescription : Zone Labs Client
> InternalName : zlclient
> OriginalFilename : zlclient.exe
> ProductName : Zone Labs Client
> Created on : 24/12/2003 12:23:57 AM
> Last accessed : 26/06/2004 06:49:16 AM
> Last modified : 17/05/2004 03:56:14 AM
>
> #:30 [d3rk32.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:49:10 AM
> BasePriority : Normal
> FileSize : 26 KB
> Created on : 27/05/2004 04:39:18 PM
> Last accessed : 26/06/2004 06:49:10 AM
> Last modified : 27/05/2004 04:39:18 PM
>
> #:31 [msnmsgr.exe]
> FilePath : C:\Program Files\MSN Messenger\
> ThreadCreationTime : 26-06-2004 06:49:10 AM
> BasePriority : Normal
> FileSize : 4768 KB
> FileVersion : 6.2.0137
> ProductVersion : Version 6.2
> Copyright : Copyright (c) Microsoft Corporation 1997-2004
> CompanyName : Microsoft Corporation
> FileDescription : MSN Messenger
> InternalName : msnmsgr
> OriginalFilename : msnmsgr.exe
> ProductName : MSN Messenger
> Created on : 28/05/2004 02:22:04 PM
> Last accessed : 26/06/2004 06:49:17 AM
> Last modified : 28/05/2004 02:22:04 PM
>
> #:32 [psfree.exe]
> FilePath : C:\PROGRA~1\PANICW~1\POP-UP~2\
> ThreadCreationTime : 26-06-2004 06:49:10 AM
> BasePriority : Normal
> FileSize : 512 KB
> FileVersion : 3, 1, 0, 1012
> ProductVersion : 1, 0, 0, 1
> Copyright : Copyright (C) 2002-2003
> CompanyName : Panicware, Inc.
> FileDescription : Pop-Up Stopper Free Edition
> InternalName : Pop-Up Stopper Free Edition
> OriginalFilename : PSFree.exe
> ProductName : Pop-Up Stopper Free Edition
> Created on : 16/01/2004 11:35:30 PM
> Last accessed : 26/06/2004 06:49:16 AM
> Last modified : 29/10/2003 11:01:02 AM
>
> #:33 [wcescomm.exe]
> FilePath : C:\Program Files\Microsoft ActiveSync\
> ThreadCreationTime : 26-06-2004 06:49:11 AM
> BasePriority : Normal
> FileSize : 368 KB
> FileVersion : 3.7.1.3244
> ProductVersion : 3.7.3244
> Copyright : Copyright
> CompanyName : Microsoft Corporation
> FileDescription : Connection Manager
> InternalName : wcescomm
> OriginalFilename : WCESCOMM.EXE
> ProductName : Microsoft ActiveSync
> Created on : 09/03/2002 11:16:01 PM
> Last accessed : 26/06/2004 06:49:17 AM
> Last modified : 01/09/2003 06:52:42 PM
>
> #:34 [crzt.exe]
> FilePath : C:\WINDOWS\system32\
> ThreadCreationTime : 26-06-2004 06:50:03 AM
> BasePriority : Normal
> FileSize : 9 KB
> Created on : 25/06/2004 07:41:18 AM
> Last accessed : 26/06/2004 06:50:03 AM
> Last modified : 25/06/2004 07:41:18 AM
> Warning! CoolWebSearch object found in
> memory(C:\WINDOWS\system32\crzt.exe)
>
> CoolWebSearch Object recognized!
> Type : Process
> Data : crzt.exe
> Object : C:\WINDOWS\system32\
> FileSize : 9 KB
> Created on : 25/06/2004 07:41:18 AM
> Last accessed : 26/06/2004 06:50:03 AM
> Last modified : 25/06/2004 07:41:18 AM
>
>
> Warning! "crzt.exe"Process could not be terminated!
>
> #:35 [ad-aware.exe]
> FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
> ThreadCreationTime : 26-06-2004 06:50:32 AM
> BasePriority : Normal
> FileSize : 668 KB
> FileVersion : 6.0.1.181
> ProductVersion : 6.0.0.0
> Copyright : Copyright
> CompanyName : Lavasoft Sweden
> FileDescription : Ad-aware 6 core application
> InternalName : Ad-aware.exe
> OriginalFilename : Ad-aware.exe
> ProductName : Lavasoft Ad-aware Plus
> Created on : 19/02/2003 12:18:25 AM
> Last accessed : 26/06/2004 06:50:33 AM
> Last modified : 12/07/2003 09:00:20 PM
>
> Memory scan result :
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
> New objects : 1
> Objects found so far: 1
>
>
> Started registry scan
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
>
> Registry scan result :
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
> New objects : 0
> Objects found so far: 1
>
>
> Started deep registry scan
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
> Possible browser hijack attempt : Software\Microsoft\Internet
> Explorer\MainStart Page.dll/index.html
>
> Possible Browser Hijack attempt Object recognized!
> Type : RegData
> Data : "res://jcirb.dll/index.html#35759"
> Rootkey : HKEY_CURRENT_USER
> Object : Software\Microsoft\Internet Explorer\Main
> Value : Start Page
> Data : "res://jcirb.dll/index.html#35759"
>
> Possible browser hijack attempt : Software\Microsoft\Internet
> Explorer\MainStart Page.dll/index.html
>
> Possible Browser Hijack attempt Object recognized!
> Type : RegData
> Data : "res://jcirb.dll/index.html#35759"
> Rootkey : HKEY_LOCAL_MACHINE
> Object : Software\Microsoft\Internet Explorer\Main
> Value : Start Page
> Data : "res://jcirb.dll/index.html#35759"
>
> Possible browser hijack attempt : Software\Microsoft\Internet
> Explorer\MainDefault_Page_URL.dll/index.html
>
> Possible Browser Hijack attempt Object recognized!
> Type : RegData
> Data : "res://jcirb.dll/index.html#35759"
> Rootkey : HKEY_LOCAL_MACHINE
> Object : Software\Microsoft\Internet Explorer\Main
> Value : Default_Page_URL
> Data : "res://jcirb.dll/index.html#35759"
>
>
> Deep registry scan result :
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
> New objects : 3
> Objects found so far: 4
>
>
> ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯