Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HJT log [RESOLVED]


  • This topic is locked This topic is locked

#166
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go ahead and delete them with SpyBot. Just leftovers that nothing else picked up. That's why it's neccessary to run so many programs :tazz:
  • 0

Advertisements


#167
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
I was just wondering .... is there an easy way to get all these extra startup items off my Msconfig startup ??? I Obviously didnt do it the right way( here on my home computer)... If its not easy then i can just live with it,cause they dont ever start up....

I took me 3 Screenshots to get all the msconfig startup items to be displayed,,so thaats what those 3 attachments are.

Edited by retrac, 20 May 2005 - 08:24 PM.

  • 0

#168
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
maybe i should use something smaller than Jpg ???

Edited by retrac, 20 May 2005 - 08:24 PM.

  • 0

#169
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
What computer is this on? I've told you I do not like things being removed from startup with msconfig!

See that WebRebates in there? Bad program.
  • 0

#170
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
Yeah this is my PC at home ... all these things happened to me a month or 2 ago... i dont remeber how i got them all off..I sure wish i had known about you guys back then..(when mine got infected about a month ago is when i started geting in to all this spyware removal stuff.... :tazz:


i showed you this HJT log a lil while back.....you said good job on keeping "this" pc clean


Logfile of HijackThis v1.99.1
Scan saved at 4:51:53 AM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by retrac, 20 May 2005 - 12:33 PM.

  • 0

#171
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Yes, but obviously normal startup was not selected. You have a bad program in there. Please enable NORMAL startup then post another log.
  • 0

#172
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
you want me too recheck all those Startup in Msconfig ? even Webrebates and dumprep 0.......i think i remember those being real bad ??
  • 0

#173
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
im sorry about not having everything checked back when i ran a log for u on this CP i didnt know you wanted that .... I See Now.....

Ive got to get to work but i would love to knock these out tommorow or the next day if you dont mind ??
  • 0

#174
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I want normal startup so we can remove the bad stuff. why would you want those still on your computer??
  • 0

#175
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Nope, don't mind at all! :tazz:
  • 0

Advertisements


#176
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
i really dont want those on there ... i just figured you cant get rid of them...... I kinda figured out last night( talkin with you) that these are the 04's in HJT and that the proper way to get rid of these is threw HJT....just put that together last night :tazz:

im still a newbie

Late for work hehehehe again
  • 0

#177
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
lol I'll be here when you get back :tazz:

We'll get 'em!
  • 0

#178
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
well i got to work today and deciced to do a few scans: AVG didnt find anything YEA!!!!!, Spybot didnt find anything new YEA!!!! , then adAware Uh Oh




Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 156
ThreadCreationTime : 5-20-2005 10:11:31 PM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINNT\system32\csrss.exe
Command Line : C:\WINNT\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequest
ProcessID : 180
ThreadCreationTime : 5-20-2005 10:11:34 PM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINNT\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 176
ThreadCreationTime : 5-20-2005 10:11:35 PM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINNT\system32\services.exe
Command Line : C:\WINNT\system32\services.exe
ProcessID : 228
ThreadCreationTime : 5-20-2005 10:11:36 PM
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINNT\system32\lsass.exe
Command Line : C:\WINNT\system32\lsass.exe
ProcessID : 240
ThreadCreationTime : 5-20-2005 10:11:36 PM
BasePriority : Normal
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost -k rpcss
ProcessID : 432
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [lexbces.exe]
ModuleName : C:\WINNT\system32\LEXBCES.EXE
Command Line : C:\WINNT\system32\LEXBCES.EXE
ProcessID : 468
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 9.41
ProductVersion : 9.41
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:8 [spoolsv.exe]
ModuleName : C:\WINNT\system32\spoolsv.exe
Command Line : C:\WINNT\system32\spoolsv.exe
ProcessID : 496
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe

#:9 [lexpps.exe]
ModuleName : C:\WINNT\system32\LEXPPS.EXE
Command Line : LEXPPS.EXE
ProcessID : 524
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 9.41
ProductVersion : 9.41
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : © 1993 - 2003 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:10 [mainserv.exe]
ModuleName : C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
Command Line : "C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe"
ProcessID : 584
ThreadCreationTime : 5-20-2005 10:11:39 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : Battery backup management service
InternalName : PowerChute
LegalCopyright : Copyright © 2002
OriginalFilename : PowerChute
Comments : Battery backup management service

#:11 [avgamsvr.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
ProcessID : 596
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:12 [avgupsvc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
Command Line : C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
ProcessID : 612
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG 7.0 Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgupdsvc.EXE

#:13 [awhost32.exe]
ModuleName : C:\Program Files\Symantec\pcAnywhere\awhost32.exe
Command Line : "C:\Program Files\Symantec\pcAnywhere\awhost32.exe"
ProcessID : 644
ThreadCreationTime : 5-20-2005 10:11:40 PM
BasePriority : Normal
FileVersion : 10.5.1.505
ProductVersion : 10.5
ProductName : pcAnywhere
CompanyName : Symantec Corporation
FileDescription : pcAnywhere Host
InternalName : AWHOST32
LegalCopyright : Copyright 2002 by Symantec Corporation
OriginalFilename : AWHOST32.exe

#:14 [ctlsvr.exe]
ModuleName : C:\AlohaDrive\Aloha\bin\Ctlsvr.EXE
Command Line : C:\AlohaDrive\Aloha\bin\Ctlsvr.EXE
ProcessID : 712
ThreadCreationTime : 5-20-2005 10:12:03 PM
BasePriority : Normal
FileVersion : 5.2.8.151
ProductVersion : 5.2.8.151
ProductName : Aloha POS
CompanyName : Aloha Technologies
FileDescription : Aloha Control Service
InternalName : CtlSvr
LegalCopyright : Copyright © Aloha Technologies 1992-2003
OriginalFilename : CtlSvr.exe

#:15 [edcsvr.exe]
ModuleName : C:\AlohaDrive\Aloha\bin\Edcsvr.EXE
Command Line : C:\AlohaDrive\Aloha\bin\Edcsvr.EXE
ProcessID : 764
ThreadCreationTime : 5-20-2005 10:12:04 PM
BasePriority : Normal
FileVersion : 5.2.8.151
ProductVersion : 5.2.8.151
ProductName : Aloha POS
CompanyName : Aloha Technologies
FileDescription : Aloha EDC Service
InternalName : EdcSvr
LegalCopyright : Copyright © Aloha Technologies 1992-2003
OriginalFilename : EdcSvr.exe

#:16 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost.exe -k netsvcs
ProcessID : 792
ThreadCreationTime : 5-20-2005 10:12:07 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:17 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 804
ThreadCreationTime : 5-20-2005 10:12:08 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:18 [fssecs.exe]
ModuleName : C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
Command Line : C:\ALOHAD~1\ALOHA\BACKOF~1\LICENSE\FSSECS.EXE
ProcessID : 852
ThreadCreationTime : 5-20-2005 10:12:09 PM
BasePriority : Normal
FileVersion : 2.0.1.6
ProductVersion : 2.0.1.6
CompanyName : Ibertech, Inc.
FileDescription : Fastech Software Security Server
LegalCopyright : Copyright © 1998 Ibertech, Inc.

#:19 [explorer.exe]
ModuleName : C:\WINNT\Explorer.EXE
Command Line : C:\WINNT\Explorer.EXE
ProcessID : 924
ThreadCreationTime : 5-20-2005 10:12:10 PM
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:20 [regsvc.exe]
ModuleName : C:\WINNT\system32\regsvc.exe
Command Line : C:\WINNT\system32\regsvc.exe
ProcessID : 932
ThreadCreationTime : 5-20-2005 10:12:10 PM
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE

#:21 [mstask.exe]
ModuleName : C:\WINNT\system32\MSTask.exe
Command Line : C:\WINNT\system32\MSTask.exe
ProcessID : 976
ThreadCreationTime : 5-20-2005 10:12:11 PM
BasePriority : Normal
FileVersion : 4.71.2195.6920
ProductVersion : 4.71.2195.6920
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 1997
OriginalFilename : mstask.exe

#:22 [smagent.exe]
ModuleName : C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Command Line : "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe"
ProcessID : 1044
ThreadCreationTime : 5-20-2005 10:12:12 PM
BasePriority : Normal
FileVersion : 3, 2, 6, 0
ProductVersion : 3, 2, 6, 0
ProductName : SoundMAX service agent
CompanyName : Analog Devices, Inc.
FileDescription : SoundMAX service agent component
InternalName : SMAgent
LegalCopyright : Copyright © 2002
OriginalFilename : SMAgent.exe

#:23 [stisvc.exe]
ModuleName : C:\WINNT\system32\stisvc.exe
Command Line : C:\WINNT\system32\stisvc.exe
ProcessID : 1132
ThreadCreationTime : 5-20-2005 10:12:18 PM
BasePriority : Normal
FileVersion : 5.00.2195.6656
ProductVersion : 5.00.2195.6656
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1996-1997
OriginalFilename : STIMON.EXE

#:24 [winmgmt.exe]
ModuleName : C:\WINNT\System32\WBEM\WinMgmt.exe
Command Line : C:\WINNT\System32\WBEM\WinMgmt.exe
ProcessID : 1168
ThreadCreationTime : 5-20-2005 10:12:18 PM
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:25 [mspmspsv.exe]
ModuleName : C:\WINNT\system32\mspmspsv.exe
Command Line : C:\WINNT\system32\mspmspsv.exe
ProcessID : 1208
ThreadCreationTime : 5-20-2005 10:12:19 PM
BasePriority : Normal
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:26 [svchost.exe]
ModuleName : C:\WINNT\system32\svchost.exe
Command Line : C:\WINNT\system32\svchost.exe -k wugroup
ProcessID : 1220
ThreadCreationTime : 5-20-2005 10:12:19 PM
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:27 [lxbmbmgr.exe]
ModuleName : C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
Command Line : "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
ProcessID : 1280
ThreadCreationTime : 5-20-2005 10:12:26 PM
BasePriority : Normal
FileVersion : 0.1.25.0
ProductVersion : 0.1.25.0
ProductName : Button Manager Executable
CompanyName : Lexmark International, Inc.
FileDescription : Lexmark 4200 Series Button Manager
InternalName : lxbmbmgr.exe
LegalCopyright : © 2002 Lexmark International, Inc.
OriginalFilename : lxbmbmgr.exe

#:28 [lxbmbmon.exe]
ModuleName : C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
Command Line : "C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe"
ProcessID : 1296
ThreadCreationTime : 5-20-2005 10:12:26 PM
BasePriority : Normal
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
ProductName : Button Monitor Executable
CompanyName : Lexmark International, Inc.
FileDescription : ACMonitor
InternalName : ACMonitor
LegalCopyright : Copyright © 2003
OriginalFilename : ACMonitor.exe

#:29 [avgcc.exe]
ModuleName : C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
Command Line : "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
ProcessID : 1300
ThreadCreationTime : 5-20-2005 10:12:27 PM
BasePriority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:30 [ituneshelper.exe]
ModuleName : C:\Program Files\iTunes\iTunesHelper.exe
Command Line : "C:\Program Files\iTunes\iTunesHelper.exe"
ProcessID : 1324
ThreadCreationTime : 5-20-2005 10:12:29 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:31 [hkcmd.exe]
ModuleName : C:\WINNT\system32\hkcmd.exe
Command Line : "C:\WINNT\system32\hkcmd.exe"
ProcessID : 1344
ThreadCreationTime : 5-20-2005 10:12:29 PM
BasePriority : Normal
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2003, Intel Corporation
OriginalFilename : HKCMD.EXE

#:32 [qbupdate.exe]
ModuleName : C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Command Line : "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe"
ProcessID : 1368
ThreadCreationTime : 5-20-2005 10:12:34 PM
BasePriority : Normal
FileVersion : 13.0 R9
ProductVersion : 13.0 R9
ProductName : QuickBooks
CompanyName : Intuit, Inc.
FileDescription : QBUpdate Module
InternalName : QBUpdate
LegalCopyright : Copyright © Intuit, Inc. 1993-2003.
OriginalFilename : QBUpdate.exe

#:33 [sgmain.exe]
ModuleName : C:\Program Files\SpywareGuard\sgmain.exe
Command Line : "C:\Program Files\SpywareGuard\sgmain.exe"
ProcessID : 1436
ThreadCreationTime : 5-20-2005 10:12:36 PM
BasePriority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SpywareGuard
FileDescription : SpywareGuard
InternalName : sgmain
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC
OriginalFilename : sgmain.exe
Comments : SpywareGuard

#:34 [sgbhp.exe]
ModuleName : C:\Program Files\SpywareGuard\sgbhp.exe
Command Line : "C:\Program Files\SpywareGuard\sgbhp.exe"
ProcessID : 1520
ThreadCreationTime : 5-20-2005 10:12:43 PM
BasePriority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SG Browser Hijacking Protection
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC.
OriginalFilename : sgbhp.exe
Comments : SG Browser Hijacking Protection

#:35 [apcsystray.exe]
ModuleName : C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
Command Line : "C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe"
ProcessID : 1532
ThreadCreationTime : 5-20-2005 10:12:45 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
ProductName : APC PowerChute Personal Edition
CompanyName : American Power Conversion Corporation
FileDescription : PowerChute system tray power icon
InternalName : PowerChute
LegalCopyright : Copyright © 2002
OriginalFilename : PowerChute
Comments : PowerChute system tray power icon

#:36 [ipodservice.exe]
ModuleName : C:\Program Files\iPod\bin\iPodService.exe
Command Line : "C:\Program Files\iPod\bin\iPodService.exe"
ProcessID : 1196
ThreadCreationTime : 5-20-2005 10:14:00 PM
BasePriority : Normal
FileVersion : 4.7.1.30
ProductVersion : 4.7.1.30
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2004 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:37 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 624
ThreadCreationTime : 5-21-2005 1:45:40 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 16


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : aafve.txt
Category : Malware
Comment :
Object : C:\WINNT\system32\



CoolWebSearch Object Recognized!
Type : File
Data : qqlyfj.log
Category : Malware
Comment :
Object : C:\WINNT\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 18


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@atdmt[2].txt
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@doubleclick[2].txt
Category : Data Miner
Comment :
Value : D:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 20


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {BE28F4DA-50BB-3475-6F55-FCD289F30927}

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search\searchproperties\en-us
Value : SingleProvider

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Enable Browser Extensions

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 38

8:56:56 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:54.797
Objects scanned:257588
Objects identified:23
Objects ignored:0
New critical objects:23


i let ADAware fix all it found except for 2 cookie trackers on the D: drive( didnt realize it was gonna scan the D: but Aloha is still working so......i guess it was ok.

Im going out to have drinks tonight , but maybe we atta check to make sure that CWS isnt around anymore????? Wierd that there would be cookie trackers on my D: drive. insnt that wierd ???

Edited by retrac, 20 May 2005 - 08:32 PM.

  • 0

#179
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
At least it was only cookies and not about:blank!! :tazz:

I need you to post a new HiJackThis log to make sure everything is still good ;)
  • 0

#180
retrac

retrac

    Visiting Staff

  • Topic Starter
  • Member
  • PipPipPip
  • 578 posts
cool ill post a new HJT log when i get in to work sat. around 2 ( i can barely type hehe ) its all the CoolWebSearch's that worry me .

preciate all your help :tazz:

Edited by retrac, 21 May 2005 - 01:21 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP