[Michelle]

Go ahead and delete them with SpyBot. Just leftovers that nothing else picked up. That's why it's neccessary to run so many programs

[Advertisements]

I was just wondering .... is there an easy way to get all these extra startup items off my Msconfig startup ??? I Obviously didnt do it the right way( here on my home computer)... If its not easy then i can just live with it,cause they dont ever start up....

I took me 3 Screenshots to get all the msconfig startup items to be displayed,,so thaats what those 3 attachments are.

Edited by retrac, 20 May 2005 - 08:24 PM.

[retrac]

I was just wondering .... is there an easy way to get all these extra startup items off my Msconfig startup ??? I Obviously didnt do it the right way( here on my home computer)... If its not easy then i can just live with it,cause they dont ever start up....

I took me 3 Screenshots to get all the msconfig startup items to be displayed,,so thaats what those 3 attachments are.

Edited by retrac, 20 May 2005 - 08:24 PM.

[retrac]

maybe i should use something smaller than Jpg ???

Edited by retrac, 20 May 2005 - 08:24 PM.

[Michelle]

What computer is this on? I've told you I do not like things being removed from startup with msconfig!

See that WebRebates in there? Bad program.

[retrac]

Yeah this is my PC at home ... all these things happened to me a month or 2 ago... i dont remeber how i got them all off..I sure wish i had known about you guys back then..(when mine got infected about a month ago is when i started geting in to all this spyware removal stuff....


i showed you this HJT log a lil while back.....you said good job on keeping "this" pc clean


Logfile of HijackThis v1.99.1
Scan saved at 4:51:53 AM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by retrac, 20 May 2005 - 12:33 PM.

[Michelle]

Yes, but obviously normal startup was not selected. You have a bad program in there. Please enable NORMAL startup then post another log.

[retrac]

you want me too recheck all those Startup in Msconfig ? even Webrebates and dumprep 0.......i think i remember those being real bad ??

[retrac]

im sorry about not having everything checked back when i ran a log for u on this CP i didnt know you wanted that .... I See Now.....

Ive got to get to work but i would love to knock these out tommorow or the next day if you dont mind ??

[Michelle]

I want normal startup so we can remove the bad stuff. why would you want those still on your computer??

[Michelle]

Nope, don't mind at all!

[retrac]

i really dont want those on there ... i just figured you cant get rid of them...... I kinda figured out last night( talkin with you) that these are the 04's in HJT and that the proper way to get rid of these is threw HJT....just put that together last night

im still a newbie

Late for work hehehehe again

[Michelle]

lol I'll be here when you get back

We'll get 'em!

[retrac]

well i got to work today and deciced to do a few scans: AVG didnt find anything YEA!!!!!, Spybot didnt find anything new YEA!!!! , then adAware Uh Oh




Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 156
ThreadCreationTime : 5-20-2005 10:11:31 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINNT\system32\csrss.exe
Command Line : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequest
ProcessID : 180
ThreadCreationTime : 5-20-2005 10:11:34 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 176
ThreadCreationTime : 5-20-2005 10:11:35 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : C:\WINNT\system32\services.exe
ProcessID : 228
ThreadCreationTime : 5-20-2005 10:11:36 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : C:\WINNT\system32\lsass.exe
ProcessID : 240
ThreadCreationTime : 5-20-2005 10:11:36 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost -k rpcss
ProcessID : 432
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
ModuleName : C:\WINNT\system32\LEXBCES.EXE
Command Line : C:\WINNT\system32\LEXBCES.EXE
ProcessID : 468
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 9.41
ProductVersion : 9.41
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : C:\WINNT\system32\spoolsv.exe
ProcessID : 496
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:9 [lexpps.exe]
ModuleName : C:\WINNT\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 524
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 9.41
ProductVersion : 9.41
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:10 [mainserv.exe]
ModuleName : C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
Command Line : "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe"
ProcessID : 584
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : Battery backup management service
InternalName : PowerChute
LegalCopyright : Copyright © 2002
OriginalFilename : PowerChute
Comments : Battery backup management service

#:11 [avgamsvr.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 596
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 612
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [awhost32.exe]
ModuleName : C:\Program Files\Symantec\pcAnywhere\awhost32.exe
Command Line : "C:\Program Files\Symantec\pcAnywhere\awhost32.exe"
ProcessID : 644
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 10.5.1.505
ProductVersion : 10.5
ProductName : pcAnywhere
CompanyName : Symantec Corporation
FileDescription : pcAnywhere Host
InternalName : AWHOST32
LegalCopyright : Copyright 2002 by Symantec Corporation
OriginalFilename : AWHOST32.exe

#:14 [ctlsvr.exe]
ModuleName : C:\AlohaDrive\Aloha\bin\Ctlsvr.EXE
Command Line : C:\AlohaDrive\Aloha\bin\Ctlsvr.EXE
ProcessID : 712
ThreadCreationTime : 5-20-2005 10:12:03 PM
BasePriority : Normal
FileVersion : 5.2.8.151
ProductVersion : 5.2.8.151
ProductName : Aloha POS
CompanyName : Aloha Technologies
FileDescription : Aloha Control Service
InternalName : CtlSvr
LegalCopyright : Copyright © Aloha Technologies 1992-2003
OriginalFilename : CtlSvr.exe

#:15 [edcsvr.exe]
ModuleName : C:\AlohaDrive\Aloha\bin\Edcsvr.EXE
Command Line : C:\AlohaDrive\Aloha\bin\Edcsvr.EXE
ProcessID : 764
ThreadCreationTime : 5-20-2005 10:12:04 PM
BasePriority : Normal
FileVersion : 5.2.8.151
ProductVersion : 5.2.8.151
ProductName : Aloha POS
CompanyName : Aloha Technologies
FileDescription : Aloha EDC Service
InternalName : EdcSvr
LegalCopyright : Copyright © Aloha Technologies 1992-2003
OriginalFilename : EdcSvr.exe

#:16 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost.exe -k netsvcs
ProcessID : 792
ThreadCreationTime : 5-20-2005 10:12:07 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:17 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 804
ThreadCreationTime : 5-20-2005 10:12:08 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:18 [fssecs.exe]
ModuleName : C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
Command Line : C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
ProcessID : 852
ThreadCreationTime : 5-20-2005 10:12:09 PM
BasePriority : Normal
FileVersion : 2.0.1.6
ProductVersion : 2.0.1.6
CompanyName : Ibertech, Inc.
FileDescription : Fastech Software Security Server
LegalCopyright : Copyright © 1998 Ibertech, Inc.

#:19 [explorer.exe]
ModuleName : C:\WINNT\Explorer.EXE
Command Line : C:\WINNT\Explorer.EXE
ProcessID : 924
ThreadCreationTime : 5-20-2005 10:12:10 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:20 [regsvc.exe]
ModuleName : C:\WINNT\system32\regsvc.exe
Command Line : C:\WINNT\system32\regsvc.exe
ProcessID : 932
ThreadCreationTime : 5-20-2005 10:12:10 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:21 [mstask.exe]
ModuleName : C:\WINNT\system32\MSTask.exe
Command Line : C:\WINNT\system32\MSTask.exe
ProcessID : 976
ThreadCreationTime : 5-20-2005 10:12:11 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:22 [smagent.exe]
ModuleName : C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Command Line : "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe"
ProcessID : 1044
ThreadCreationTime : 5-20-2005 10:12:12 PM
BasePriority : Normal
FileVersion : 3, 2, 6, 0
ProductVersion : 3, 2, 6, 0
ProductName : SoundMAX service agent
CompanyName : Analog Devices, Inc.
FileDescription : SoundMAX service agent component
InternalName : SMAgent
LegalCopyright : Copyright © 2002
OriginalFilename : SMAgent.exe

#:23 [stisvc.exe]
ModuleName : C:\WINNT\system32\stisvc.exe
Command Line : C:\WINNT\system32\stisvc.exe
ProcessID : 1132
ThreadCreationTime : 5-20-2005 10:12:18 PM
BasePriority : Normal
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE

#:24 [winmgmt.exe]
ModuleName : C:\WINNT\System32\WBEM\WinMgmt.exe
Command Line : C:\WINNT\System32\WBEM\WinMgmt.exe
ProcessID : 1168
ThreadCreationTime : 5-20-2005 10:12:18 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:25 [mspmspsv.exe]
ModuleName : C:\WINNT\system32\mspmspsv.exe
Command Line : C:\WINNT\system32\mspmspsv.exe
ProcessID : 1208
ThreadCreationTime : 5-20-2005 10:12:19 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:26 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost.exe -k wugroup
ProcessID : 1220
ThreadCreationTime : 5-20-2005 10:12:19 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:27 [lxbmbmgr.exe]
ModuleName : C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
Command Line : "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
ProcessID : 1280
ThreadCreationTime : 5-20-2005 10:12:26 PM
BasePriority : Normal
FileVersion : 0.1.25.0
ProductVersion : 0.1.25.0
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark 4200 Series Button Manager
InternalName : lxbmbmgr.exe
LegalCopyright : © 2002 Lexmark International, Inc.
OriginalFilename : lxbmbmgr.exe

#:28 [lxbmbmon.exe]
ModuleName : C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
Command Line : "C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe"
ProcessID : 1296
ThreadCreationTime : 5-20-2005 10:12:26 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : ACMonitor
InternalName : ACMonitor
LegalCopyright : Copyright © 2003
OriginalFilename : ACMonitor.exe

#:29 [avgcc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1300
ThreadCreationTime : 5-20-2005 10:12:27 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:30 [ituneshelper.exe]
ModuleName : C:\Program Files\iTunes\iTunesHelper.exe
Command Line : "C:\Program Files\iTunes\iTunesHelper.exe"
ProcessID : 1324
ThreadCreationTime : 5-20-2005 10:12:29 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:31 [hkcmd.exe]
ModuleName : C:\WINNT\system32\hkcmd.exe
Command Line : "C:\WINNT\system32\hkcmd.exe"
ProcessID : 1344
ThreadCreationTime : 5-20-2005 10:12:29 PM
BasePriority : Normal
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:32 [qbupdate.exe]
ModuleName : C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Command Line : "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe"
ProcessID : 1368
ThreadCreationTime : 5-20-2005 10:12:34 PM
BasePriority : Normal
FileVersion : 13.0 R9
ProductVersion : 13.0 R9
ProductName : QuickBooks
CompanyName : Intuit, Inc.
FileDescription : QBUpdate Module
InternalName : QBUpdate
LegalCopyright : Copyright © Intuit, Inc. 1993-2003.
OriginalFilename : QBUpdate.exe

#:33 [sgmain.exe]
ModuleName : C:\Program Files\SpywareGuard\sgmain.exe
Command Line : "C:\Program Files\SpywareGuard\sgmain.exe"
ProcessID : 1436
ThreadCreationTime : 5-20-2005 10:12:36 PM
BasePriority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SpywareGuard
FileDescription : SpywareGuard
InternalName : sgmain
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC
OriginalFilename : sgmain.exe
Comments : SpywareGuard

#:34 [sgbhp.exe]
ModuleName : C:\Program Files\SpywareGuard\sgbhp.exe
Command Line : "C:\Program Files\SpywareGuard\sgbhp.exe"
ProcessID : 1520
ThreadCreationTime : 5-20-2005 10:12:43 PM
BasePriority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SG Browser Hijacking Protection
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC.
OriginalFilename : sgbhp.exe
Comments : SG Browser Hijacking Protection

#:35 [apcsystray.exe]
ModuleName : C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
Command Line : "C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe"
ProcessID : 1532
ThreadCreationTime : 5-20-2005 10:12:45 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : PowerChute system tray power icon
InternalName : PowerChute
LegalCopyright : Copyright © 2002
OriginalFilename : PowerChute
Comments : PowerChute system tray power icon

#:36 [ipodservice.exe]
ModuleName : C:\Program Files\iPod\bin\iPodService.exe
Command Line : "C:\Program Files\iPod\bin\iPodService.exe"
ProcessID : 1196
ThreadCreationTime : 5-20-2005 10:14:00 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:37 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 624
ThreadCreationTime : 5-21-2005 1:45:40 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 16


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : aafve.txt
Category : Malware
Comment :
Object : C:\WINNT\system32\



CoolWebSearch Object Recognized!
Type : File
Data : qqlyfj.log
Category : Malware
Comment :
Object : C:\WINNT\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@atdmt[2].txt
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@doubleclick[2].txt
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {BE28F4DA-50BB-3475-6F55-FCD289F30927}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search\searchproperties\en-us
Value : SingleProvider

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 38

8:56:56 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:54.797
Objects scanned:257588
Objects identified:23
Objects ignored:0
New critical objects:23


i let ADAware fix all it found except for 2 cookie trackers on the D: drive( didnt realize it was gonna scan the D: but Aloha is still working so......i guess it was ok.

Im going out to have drinks tonight , but maybe we atta check to make sure that CWS isnt around anymore????? Wierd that there would be cookie trackers on my D: drive. insnt that wierd ???

Edited by retrac, 20 May 2005 - 08:32 PM.

[Michelle]

At least it was only cookies and not about:blank!!

I need you to post a new HiJackThis log to make sure everything is still good

[retrac]

cool ill post a new HJT log when i get in to work sat. around 2 ( i can barely type hehe ) its all the CoolWebSearch's that worry me .

preciate all your help

Edited by retrac, 21 May 2005 - 01:21 AM.