Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hosts file keeps changing [CLOSED]


  • This topic is locked This topic is locked

#16
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Well, I believe we found your problem. You have a vx2 infection that didn't show up in your HJT logs, probably because it was never completely fixed. I'm sorry, I haven't been ignoring those registry entries, I'm simply trying to find where this is coming from. I should have told you so :tazz:.

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!
  • 0

Advertisements


#17
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hey insipid, sorry I didn't see this last post!! duh... Ok ran it... here's the log :

L2Mfix 1.03

Running From:
C:\Documents and Settings\Jason Prance\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Jason Prance\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Jason Prance\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1320 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1524 'rundll32.exe'
Killing PID 328 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\jtpl400.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\widtrace.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\jtpl400.dll
Successfully Deleted: C:\WINDOWS\system32\jtpl400.dll
deleting: C:\WINDOWS\system32\widtrace.dll
Successfully Deleted: C:\WINDOWS\system32\widtrace.dll


Zipping up files for submission:
adding: jtpl400.dll (164 bytes security) (deflated 4%)
adding: widtrace.dll (164 bytes security) (deflated 4%)
adding: clear.reg (164 bytes security) (deflated 23%)
adding: echo.reg (164 bytes security) (deflated 10%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 74%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 60%)
adding: test.txt (164 bytes security) (deflated 34%)
adding: test2.txt (164 bytes security) (stored 0%)
adding: test3.txt (164 bytes security) (stored 0%)
adding: test5.txt (164 bytes security) (stored 0%)
adding: xfind.txt (164 bytes security) (deflated 29%)
adding: backregs/B1C9E07D-4B92-4EEB-8F40-4CA47C4E9F5E.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: jtpl400.dll
deleting local copy: widtrace.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\jtpl400.dll
C:\WINDOWS\system32\widtrace.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B1C9E07D-4B92-4EEB-8F40-4CA47C4E9F5E}"=-
[-HKEY_CLASSES_ROOT\CLSID\{B1C9E07D-4B92-4EEB-8F40-4CA47C4E9F5E}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************






And here's the HJT log now :

Logfile of HijackThis v1.99.1
Scan saved at 11:46:35 PM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\AcroDist.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason Prance\My Documents\HijackThis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094274699265
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresp...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#18
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
infinitydragon, it looks like l2mfix deleted the file jtpl400.dll, is it still there? Also, were you logged in with Administrator privileges when you ran the tool?

Let's take care of those registry entries Spysubtract is finding.

Open Notepad, copy and paste the text in the box below and "Save As" removit.reg
In the "Save as type" select: All Files

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT\]

Double-click on removit.reg and allow it to merge with the registry.

Tell me if your problems still persist.
  • 0

#19
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Yes!! that file is gone. However, after doing the removit.reg fix those 9 entires are still showing up in a spysubtract scan and still come right back after deleting them. Isearch also still shows up in Firefox.

Almost there I think...
  • 0

#20
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Ok, one infection down! I haven't seen any evidence of Isearch in any of the logs we've gotten, but what else is new? Have any of the icons on your desktop been Isearch?

This infection is known, and the fixes exist. It's weird that it's hijacked Firefox, though. Oh, well, let's try to find it.

Check for Isearch Toolbar under Add/Remove Programs in the Control Panel and uninstall it if it's there. You've probably already done this, but it doesn't completely uninstall anyway.

Next, try to locate the following files and delete any you find:

evidence eraser.lnk
initial.inf
isearch.cat
patch.exe
popup blocker stops popups.lnk
spyware avenger.lnk
C:\Windows\system\toolbar.dll
C:\Windows\system\toolbar_.dll
C:\Windows\system32\toolbar_.dll
C:\Windows\system32\winhot32.dll
virus hunter security.lnk
your platinum visa.lnk

Please download CCleaner from here:
http://www.ccleaner.com
Install and run it, and clean out your Temporary and Temporary Internet Files.

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". This will restore the original default Hosts file.

Click "Make Read Only" to prevent any further changes to Hosts. I suggest this as a precaution, I'll suggest a very good Hosts file when we're finished.

Exit Program.

Reboot and post a new HJT log, and tell me which of those files you found (if any).
  • 0

#21
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Insipid, I feel we're getting closer!!! I found none of those files on my hard drive that you listed. And I ran CCleaner. I'm left with this HJT log and still those 9 entries that SpySubtract is finding. I can't delete them without them coming right back.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:29 AM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\asuskbservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason Prance\My Documents\HijackThis\HijackThis.exe

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094274699265
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc3.webresp...t/TLIEFlash.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O20 - Winlogon Notify: GoToMyPC - C:\WINDOWS\SYSTEM32\G2WinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#22
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Please download and install Registrar Lite. Run reglite and paste this line into the address box:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DELPROT

Click on 'Go', then highlight LEGACY_DELPROT in the left pane. Select Security >> Edit Permissions from the pull down menu at the top. Make sure 'Read' and 'Full Control' aren't set to 'Deny', then click the 'Advanced' button, then make sure the 'Inherit from the parent the permission entries....' is unchecked, and select 'Remove' at the warning prompt.

Press 'Ok' twice to back out and exit Registrar Lite.

Reboot, and run removit.reg again. Next, check to see if Spysubtract still detects those registry keys.

If that didn't work:

Rescan with MWAV and post the results from the lower pane only.

[*]When you execute dllcompare.exe, by default the c:\windows\system32 is selected. This can be changed to scan your entire computer for any file type - Simply select the path and check off the box labelled "Include SubDirectories"
[*]Click on "Locate.com" and allow the scan to complete.
[*]After the scan has finished click on "Compare" to scan for the files that Windows does not see. This step will take a few minutes to run.
[*]If the box at the bottom of the screen contains any files, these are the ones that are hidden - Click on "Make a Log of what was Found".
[*]When prompted to "View Log File" click on "Yes".
[*]Notepad will open with the log file contents.

Post the dllcompare log as well. We'll fix this one way or another :tazz:.
  • 0

#23
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi insipid,

Well, the first half of the email didn't fix those 9 entires. And I couldn't get those two links you provided to download the newer virus scanner to work. Any other links than those?

Thanks
  • 0

#24
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Update... I tried that Brinkster link again this morning and downloaded a DLLcompare.zip however when I tried to open, it said it is invalid or corrupt. Odd?
  • 0

#25
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
infinitydragon, the problem with dllcompare is annoying, but not to worry. I wanted to see the mwav log, do you still have it?

You say iSearch shows up in Firefox, can you describe exactly what you mean? Has it added a button on your toolbar?

I normally hate malware, but yours is earning special consideration :tazz:. Going back over that l2mfix log, I notice some discrepancies that may be important. First, though, I'd like to try some basic automated scans, and then we'll see if we can't take care of the files l2mfix may have missed.

Please save these instructions to a Notepad file on your desktop, we will need them later.

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeek...ownload506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

Next, scan with Spybot Search and Destroy:
  • Download the latest version of Spybot from either:
    * http://www.safer-net...load/index.html
    * http://www.spybot.in...rors/index.html
  • Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
  • Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
  • The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
  • Click on "Search for Updates".
  • If any updates are found, place a check mark next to each and click on "Download Updates".
  • Click on "Immunize" and once it detects what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
  • Click on "Search & Destroy" => "Check for Problems".
  • When Spybot is complete, it will show RED entries, BLACK entries, and GREEN entries in the window.
  • Make sure there is a check mark beside the RED entries ONLY.
  • Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.
Reboot again.

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\ctseqchk.dll
C:\WINDOWS\System32\rhipxmib.dll
C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\KGyGaAvL.sys

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Reboot, and post a fresh HJT log and the mwav log if you can. Also, please report how the Ad-aware and Spybot scans went, and detail the iSearch problem with Firefox. We'll beat this one way or another ;).
  • 0

Advertisements


#26
infinitydragon

infinitydragon

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Wow... When I asked for help I didn't want THIS much help. Hahahah. :tazz: J/K

That looks like it will take a little while and I'm going out of town, I'll pick back up where we left off for sure!!

I am running Adaware now like you asked again, I do have the professional version already. It finds much more than SE it seems. Also, to answer your question, iSearch only appears in the very upper right corner of firefox as an option for a search engine along with Google, Yahoo, and others already there.

Thanks SO much for all your help, I'll be in touch!!

Here's my log from Adware (pretty clean) :


Ad-Aware SE Build 1.05
Logfile Created on:Friday, May 27, 2005 9:49:03 PM
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):32 total references
Tracking Cookie(TAC index:3):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R46 17.05.2005
Internal build : 54
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 474775 Bytes
Total size : 1435210 Bytes
Signature data size : 1404100 Bytes
Reference data size : 30598 Bytes
Signatures total : 40060
Fingerprints total : 883
Fingerprints size : 30250 Bytes
Target categories : 15
Target families : 674


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:71 %
Total physical memory:2096368 kb
Available physical memory:1479424 kb
Total page file size:2725560 kb
Available on page file:2230468 kb
Total virtual memory:2097024 kb
Available virtual memory:2040748 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Ignore spanned files when scanning cab archives
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Block pop-ups aggressively
Set : Automatically select problematic objects in results lists
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Show splash screen
Set : Backup current definitions file before updating
Set : Play sound at scan completion if scan locates critical objects


5-27-2005 9:49:03 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 760
ThreadCreationTime : 5-28-2005 1:15:24 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 876
ThreadCreationTime : 5-28-2005 1:15:30 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 900
ThreadCreationTime : 5-28-2005 1:15:30 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 944
ThreadCreationTime : 5-28-2005 1:15:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 956
ThreadCreationTime : 5-28-2005 1:15:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 1100
ThreadCreationTime : 5-28-2005 1:15:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 1200
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 1240
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 1284
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 1340
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : C:\WINDOWS\system32\spoolsv.exe
ProcessID : 1588
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [versioncuecs2.exe]
ModuleName : C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
Command Line : "C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service
ProcessID : 1684
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal


#:13 [asuskbservice.exe]
ModuleName : C:\WINDOWS\asuskbservice.exe
Command Line : C:\WINDOWS\asuskbservice.exe
ProcessID : 1696
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : ASUS Keyboard Service
CompanyName : ASUSTeK COMPUTER INC.
FileDescription : ASUS Keyboard Service
InternalName : ASUSKBService
LegalCopyright : Copyright © 2004 @ASUSTeK COMPUTER INC.
OriginalFilename : ASUSKBService.exe

#:14 [ctsvccda.exe]
ModuleName : C:\WINDOWS\system32\CTsvcCDA.exe
Command Line : C:\WINDOWS\system32\CTsvcCDA.exe
ProcessID : 1708
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:15 [ewidoctrl.exe]
ModuleName : C:\Program Files\ewido\security suite\ewidoctrl.exe
Command Line : "C:\Program Files\ewido\security suite\ewidoctrl.exe"
ProcessID : 1748
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:16 [mcupdmgr.exe]
ModuleName : C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
Command Line : C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
ProcessID : 1784
ThreadCreationTime : 5-28-2005 1:15:31 AM
BasePriority : Normal
FileVersion : 5, 1, 0, 0
ProductVersion : 5, 0, 0, 0
ProductName : McAfee SecurityCenter Update Manager
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Update Manager
InternalName : mcupdmgr
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcupdmgr.exe

#:17 [mcvsrte.exe]
ModuleName : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Command Line : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding
ProcessID : 1888
ThreadCreationTime : 5-28-2005 1:15:32 AM
BasePriority : Normal
FileVersion : 9, 1, 0, 8
ProductVersion : 9, 1, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsrte.exe
Comments : McAfee VirusScan Real-time Engine

#:18 [nvsvc32.exe]
ModuleName : C:\WINDOWS\system32\nvsvc32.exe
Command Line : C:\WINDOWS\system32\nvsvc32.exe
ProcessID : 1940
ThreadCreationTime : 5-28-2005 1:15:32 AM
BasePriority : Normal
FileVersion : 6.14.10.6176
ProductVersion : 6.14.10.6176
ProductName : NVIDIA Driver Helper Service, Version 61.76
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 61.76
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:19 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k imgsvc
ProcessID : 2028
ThreadCreationTime : 5-28-2005 1:15:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:20 [wdfmgr.exe]
ModuleName : C:\WINDOWS\system32\wdfmgr.exe
Command Line : C:\WINDOWS\system32\wdfmgr.exe
ProcessID : 260
ThreadCreationTime : 5-28-2005 1:15:32 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:21 [mspmspsv.exe]
ModuleName : C:\WINDOWS\system32\MsPMSPSv.exe
Command Line : C:\WINDOWS\system32\MsPMSPSv.exe
ProcessID : 424
ThreadCreationTime : 5-28-2005 1:15:33 AM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft ® DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:22 [mysqld-nt.exe]
ModuleName : C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
Command Line : "C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\Adobe\Adobe Version Cue CS2\config\my.ini" --basedir=. --data=data --user=nobody --bind-address=127.0.0.1 --console --socket=../../temp/mysql-vcw.s
ProcessID : 1500
ThreadCreationTime : 5-28-2005 1:15:34 AM
BasePriority : Normal


#:23 [mcshield.exe]
ModuleName : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
Command Line : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
ProcessID : 368
ThreadCreationTime : 5-28-2005 1:15:36 AM
BasePriority : High


#:24 [alg.exe]
ModuleName : C:\WINDOWS\System32\alg.exe
Command Line : C:\WINDOWS\System32\alg.exe
ProcessID : 804
ThreadCreationTime : 5-28-2005 1:15:37 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:25 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 3404
ThreadCreationTime : 5-28-2005 1:27:40 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:26 [anvshell.exe]
ModuleName : C:\WINDOWS\anvshell.exe
Command Line : "C:\WINDOWS\anvshell.exe"
ProcessID : 3564
ThreadCreationTime : 5-28-2005 1:27:42 AM
BasePriority : Normal
FileVersion : 2.01.00
ProductVersion : 2.01.00
ProductName : ASUS nVidia Series Shell
CompanyName : AsusTeK Computer Inc.
FileDescription : ASUS nVidia Series Shell
InternalName : ANVShell
LegalCopyright : Copyright © 2004
OriginalFilename : ANVShell.EXE

#:27 [ctsysvol.exe]
ModuleName : C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
Command Line : "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" /r
ProcessID : 3572
ThreadCreationTime : 5-28-2005 1:27:42 AM
BasePriority : Normal
FileVersion : 1.3.8.0
ProductVersion : 1.0.0.0
ProductName : Creative Volume Control
CompanyName : Creative Technology Ltd
FileDescription : CTSysVol.exe
LegalCopyright : Copyright © Creative Technology Ltd., 2002-2003. All rights reserved.
OriginalFilename : CTSysVol.exe

#:28 [ctdvddet.exe]
ModuleName : C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
Command Line : "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
ProcessID : 3580
ThreadCreationTime : 5-28-2005 1:27:42 AM
BasePriority : Normal
FileVersion : 1.0.3.0
ProductVersion : 1.0.3.0
ProductName : CTDVDDET
CompanyName : Creative Technology Ltd
FileDescription : CTDVDDET
InternalName : CTDVDDET
LegalCopyright : Copyright © Creative Technology Ltd., 2002-2003. All rights reserved.
OriginalFilename : CTDVDDET.EXE

#:29 [cthelper.exe]
ModuleName : C:\WINDOWS\system32\CTHELPER.EXE
Command Line : "C:\WINDOWS\system32\CTHELPER.EXE"
ProcessID : 3588
ThreadCreationTime : 5-28-2005 1:27:42 AM
BasePriority : Normal
FileVersion : 1, 0, 1, 2
ProductVersion : 1, 0, 1, 2
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002-03
OriginalFilename : CtHelper.EXE

#:30 [hpztsb07.exe]
ModuleName : C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
Command Line : "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe"
ProcessID : 3612
ThreadCreationTime : 5-28-2005 1:27:43 AM
BasePriority : Normal
FileVersion : 2,140,0,0
ProductVersion : 2,140,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:31 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 3620
ThreadCreationTime : 5-28-2005 1:27:43 AM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:32 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 3628
ThreadCreationTime : 5-28-2005 1:27:43 AM
BasePriority : Normal
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:33 [gnotify.exe]
ModuleName : C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
Command Line : "C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe"
ProcessID : 3640
ThreadCreationTime : 5-28-2005 1:27:43 AM
BasePriority : Normal
FileVersion : 1.0.24.0
ProductVersion : 1.0.24.0
ProductName : Gmail
CompanyName : Google Inc.
FileDescription : Gmail Notifier
LegalCopyright : Copyright © Google Inc. 2004
OriginalFilename : gnotify.exe

#:34 [rundll32.exe]
ModuleName : C:\WINDOWS\system32\RUNDLL32.EXE
Command Line : "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
ProcessID : 3652
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:35 [g2svc.exe]
ModuleName : C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
Command Line : "C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -logon
ProcessID : 3664
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 4.1 Build 314
ProductVersion : 4.1 Build 314
ProductName : GoToMyPC
CompanyName : Citrix Online
FileDescription : GoToMyPC Host Loader
InternalName : GoToMyPC Host Loader
LegalCopyright : Copyright © 1997-2004 Citrix Online LLC
OriginalFilename : g2svc.exe

#:36 [jusched.exe]
ModuleName : C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
Command Line : "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
ProcessID : 3684
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal


#:37 [dvd43_tray.exe]
ModuleName : C:\Program Files\dvd43\dvd43_tray.exe
Command Line : "C:\Program Files\dvd43\dvd43_tray.exe"
ProcessID : 3700
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 3.5.0.110
ProductVersion : 3.5.0.0
ProductName : DVD43
CompanyName : Captain Red
FileDescription : Inline DVD Decryption engine
InternalName : DVD FOR FREE
LegalCopyright : Captain Red 2005
LegalTrademarks : Captain Red 2005
OriginalFilename : dvd43_tray.exe
Comments : Please use this software on a fair use basis. This software is FREE - No charges must be paid to obtain it.

#:38 [ituneshelper.exe]
ModuleName : C:\Program Files\iTunes\iTunesHelper.exe
Command Line : "C:\Program Files\iTunes\iTunesHelper.exe"
ProcessID : 3720
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 4.8.0.31
ProductVersion : 4.8.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:39 [mmdiag.exe]
ModuleName : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
Command Line : MMDiag.exe
ProcessID : 3728
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 10.00.1025
ProductVersion : 10.00.1025
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : Logging and tracing manager
InternalName : MMTraceExe
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : MMTraceExe.EXE

#:40 [mcvsshld.exe]
ModuleName : C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
Command Line : "C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
ProcessID : 3756
ThreadCreationTime : 5-28-2005 1:27:44 AM
BasePriority : Normal
FileVersion : 9, 1, 0, 6
ProductVersion : 9, 1, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsshld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:41 [mcagent.exe]
ModuleName : C:\PROGRA~1\mcafee.com\agent\mcagent.exe
Command Line : "C:\PROGRA~1\mcafee.com\agent\mcagent.exe"
ProcessID : 3792
ThreadCreationTime : 5-28-2005 1:27:45 AM
BasePriority : Normal
FileVersion : 5, 1, 0, 2
ProductVersion : 5, 1, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe

#:42 [mcvsescn.exe]
ModuleName : c:\progra~1\mcafee.com\vso\mcvsescn.exe
Command Line : "c:\progra~1\mcafee.com\vso\mcvsescn.exe" /disabled
ProcessID : 3800
ThreadCreationTime : 5-28-2005 1:27:45 AM
BasePriority : Normal
FileVersion : 9, 1, 0, 4
ProductVersion : 9, 1, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:43 [ipodservice.exe]
ModuleName : C:\Program Files\iPod\bin\iPodService.exe
Command Line : "C:\Program Files\iPod\bin\iPodService.exe"
ProcessID : 3836
ThreadCreationTime : 5-28-2005 1:27:45 AM
BasePriority : Normal
FileVersion : 4.8.0.31
ProductVersion : 4.8.0.31
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:44 [versioncuecs2tray.exe]
ModuleName : C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
Command Line : "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
ProcessID : 3876
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal


#:45 [mim.exe]
ModuleName : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
Command Line : "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe" -Embedding
ProcessID : 3920
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal
FileVersion : 10.00.1025
ProductVersion : 10.00.1025
ProductName : Musicmatch Jukebox
CompanyName : Musicmatch, Inc.
FileDescription : mim
InternalName : mim
LegalCopyright : Copyright © Musicmatch 1998-2004
LegalTrademarks :
OriginalFilename : mim.exe

#:46 [acrotray.exe]
ModuleName : C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
Command Line : "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
ProcessID : 3928
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:47 [type32.exe]
ModuleName : C:\Program Files\Microsoft IntelliType Pro\type32.exe
Command Line : "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
ProcessID : 3964
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal


#:48 [point32.exe]
ModuleName : C:\Program Files\Microsoft IntelliPoint\point32.exe
Command Line : "C:\Program Files\Microsoft IntelliPoint\point32.exe"
ProcessID : 3992
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal


#:49 [smartdoctor.exe]
ModuleName : C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
Command Line : "C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" /start
ProcessID : 4004
ThreadCreationTime : 5-28-2005 1:27:46 AM
BasePriority : Normal
FileVersion : 4, 4, 5, 92
ProductVersion : 4, 4, 5, 92
ProductName : ASUS SmartDoctor
CompanyName : ASUSTeK Inc.
FileDescription : SmartDoctor
InternalName : SmartDoctor
LegalCopyright : Copyright © 2004
OriginalFilename : SmartDoctor.exe

#:50 [ctfmon.exe]
ModuleName : C:\WINDOWS\system32\ctfmon.exe
Command Line : "C:\WINDOWS\system32\ctfmon.exe"
ProcessID : 4036
ThreadCreationTime : 5-28-2005 1:27:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:51 [msnmsgr.exe]
ModuleName : C:\Program Files\MSN Messenger\msnmsgr.exe
Command Line : "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
ProcessID : 4044
ThreadCreationTime : 5-28-2005 1:27:47 AM
BasePriority : Normal
FileVersion : 7.0.0813
ProductVersion : 7.0.0813
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2005
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:52 [spysub.exe]
ModuleName : C:\Program Files\interMute\SpySubtract\SpySub.exe
Command Line : "C:\Program Files\interMute\SpySubtract\SpySub.exe" -autostart
ProcessID : 1460
ThreadCreationTime : 5-28-2005 1:27:48 AM
BasePriority : Normal
FileVersion : 1, 0, 1, 49
ProductVersion : 2.60
ProductName : SpySubtract
CompanyName : InterMute, Inc.
FileDescription : SpySubtract Program EXE
InternalName : SpySub.exe
LegalCopyright : Copyright © 2004 InterMute, Inc. All rights reserved.
OriginalFilename : SpySub.exe

#:53 [mcvsftsn.exe]
ModuleName : c:\progra~1\mcafee.com\vso\mcvsftsn.exe
Command Line : c:\progra~1\mcafee.com\vso\mcvsftsn.exe -Embedding
ProcessID : 2252
ThreadCreationTime : 5-28-2005 1:27:53 AM
BasePriority : Normal
FileVersion : 9, 1, 0, 4
ProductVersion : 9, 1, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan Instant Messenger Scan Module
InternalName : mcvsftsn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsftsn.EXE
Comments : McAfee VirusScan Instant Messenger Scan Module

#:54 [msmsgs.exe]
ModuleName : C:\Program Files\Messenger\msmsgs.exe
Command Line : "C:\Program Files\Messenger\msmsgs.exe" -Embedding
ProcessID : 2596
ThreadCreationTime : 5-28-2005 1:27:58 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:55 [g2comm.exe]
ModuleName : C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
Command Line : "C:\Program Files\Expertcity\GoToMyPC\g2comm.exe" "Plugin=G2PreLaunch&Dir=C:\Program Files\Expertcity\GoToMyPC&Path=g2pre.exe&ServiceName=GoToMyPC&ServiceFile=C:\Program Files\Expertcity\GoToMyPC\g2svc.exe&IsService=false&Debug=Off&Stat=Off&PluginDebug=Off&Plu
ProcessID : 2700
ThreadCreationTime : 5-28-2005 1:28:02 AM
BasePriority : Normal


#:56 [g2pre.exe]
ModuleName : C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
Command Line : "C:\Program Files\Expertcity\GoToMyPC\g2pre.exe" "StartID={0EC27BB5-E017-4742-BF67-8CFA83D1FF4E}&Debug=Off&Stat=Off"
ProcessID : 2796
ThreadCreationTime : 5-28-2005 1:28:04 AM
BasePriority : Normal
FileVersion : 4.1 Build 314
ProductVersion : 4.1 Build 314
ProductName : GoToMyPC
CompanyName : Citrix Online
FileDescription : GoToMyPC Pre-Launcher plugin
InternalName : GoToMyPC Pre-Launcher plugin
LegalCopyright : Copyright © 1997-2004 Citrix Online LLC
OriginalFilename : g2pre.exe

#:57 [g2tray.exe]
ModuleName : C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
Command Line : "C:\Program Files\Expertcity\GoToMyPC\g2tray.exe" "StartID={74255B66-4A45-4AEB-A34E-8BAF341F68E4}&Debug=Off&Stat=Off"
ProcessID : 2932
ThreadCreationTime : 5-28-2005 1:28:07 AM
BasePriority : Normal
FileVersion : 4.1 Build 314
ProductVersion : 4.1 Build 314
ProductName : GoToMyPC
CompanyName : Citrix Online
FileDescription : GoToMyPC Host Launcher
InternalName : GoToMyPC Host Launcher
LegalCopyright : Copyright © 1997-2004 Citrix Online LLC
OriginalFilename : g2tray.exe

#:58 [firefox.exe]
ModuleName : C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
Command Line : C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "http://gmail.google.com/gmail"
ProcessID : 3360
ThreadCreationTime : 5-28-2005 1:28:24 AM
BasePriority : Normal


#:59 [iexplore.exe]
ModuleName : C:\Program Files\Internet Explorer\iexplore.exe
Command Line : "C:\Program Files\Internet Explorer\iexplore.exe"
ProcessID : 328
ThreadCreationTime : 5-28-2005 1:43:49 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:60 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe"
ProcessID : 2372
ThreadCreationTime : 5-28-2005 1:45:34 AM
BasePriority : Normal
FileVersion : 6.2.0.208
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\Documents and Settings\Jason Prance\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\ahead\cover designer\recent file list
Description : list of recently used files in ahead cover designer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\creative tech\creative wavestudio\settings
Description : list of recently used directories in creative wavestudio


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\macromedia\dreamweaver 6\recent file list
Description : list of recently used files in macromedia dreamweaver


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\frontpage\explorer
Description : last import file path in microsoft frontpage


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\office\10.0\clip organizer\search\last query
Description : last query in microsoft clip organizer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\terminal server client\default
Description : list of recent systems connected to using remote desktop / terminal services


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : software\musicmatch
Description : download location of the musicmatch installer


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description : file conversion location settings in musicmatch jukebox


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1060284298-1715567821-725345543-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@atdmt[2].txt
Category : Data Miner
Comment : Hits:14
Value : Cookie:jason prance@atdmt.com/
Expires : 5-23-2010 8:00:00 PM
LastSync : Hits:14
UseCount : 0
Hits : 14

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@statse.webtrendslive[2].txt
Category : Data Miner
Comment : Hits:28
Value : Cookie:jason prance@statse.webtrendslive.com/
Expires : 5-24-2015 8:40:32 PM
LastSync : Hits:28
UseCount : 0
Hits : 28

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@ads.addynamix[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:jason prance@ads.addynamix.com/
Expires : 5-27-2005 10:39:08 PM
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@server.iad.liveperson[1].txt
Category : Data Miner
Comment : Hits:11
Value : Cookie:jason prance@server.iad.liveperson.net/
Expires : 5-26-2006 8:18:08 PM
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@ehg-citrixonline.hitbox[2].txt
Category : Data Miner
Comment : Hits:9
Value : Cookie:jason prance@ehg-citrixonline.hitbox.com/
Expires : 5-26-2006 11:13:34 PM
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@ehg-dig.hitbox[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:jason prance@ehg-dig.hitbox.com/
Expires : 5-24-2006 6:33:40 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jason prance@hitbox[2].txt
Category : Data Miner
Comment : Hits:12
Value : Cookie:jason prance@hitbox.com/
Expires : 5-26-2006 11:13:34 PM
LastSync : Hits:12
UseCount : 0
Hits : 12

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 39



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 39


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 39




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 39

9:57:31 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:28.93
Objects scanned:196465
Objects identified:7
Objects ignored:0
New critical objects:7



- Jason
  • 0

#27
insipid

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
infinitydragon, this should have cleared up long ago, but this case hasn't turned out the way it should from the beginning :tazz:.

I suggest you simply try to remove that iSearch button from your menu bar in Firefox. Right-click in an empty area of the menu bar and select 'Customize' then 'Restore Default Set'. If it comes back, we know something is installing it, but you don't seem to have any other indications of an iSearch infection.

Now to those pesky registry keys. No scan we've done has shown anything we could point to as the culprit. So, it's likely it has to do with those entries in HijackThis that are associated with your RAID array, more specifically, they're installed with the miniport drivers for your Promise RAID controller. They are listed as malware by one trusted source, but the description includes 'What does it do and is it required?', so I've been reluctant to fix them. We're running out of options, so let's try it. HijackThis makes backups, so those entries can be restored if fixing them causes problems (Config >> Backups).

Rescan with HijackThis and place a checkmark next to the following entries:

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode


Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.

This is the part where I usually give instructions to delete the files associated with the entries we just fixed, but to be safe let's leave them there. Please do a search for them, though, (ptipbm.dll and ptipbmf.dll) and rename them to something easy to change back, like ptipbm.dl1 and ptipbmf.dl1.

Run the removit.reg yet again, reboot, and see if Spysubtract still finds those keys.

Please post a fresh HJT log with you next reply.
  • 0

#28
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP