Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cleaned some; still can't download/connect


  • Please log in to reply

#1
SC_HoneyBee

SC_HoneyBee

    New Member

  • Member
  • Pip
  • 7 posts
I've run through all of the listed items that were advised, except the on-line scan. My system won't let me run online stuff for some reason.

Here's my HijackThis log file which is followed by my AdAware log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:08 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\usb.exe
C:\Program Files\SVA Player\SVAPLAYER.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MSAC-FD1\MSSTAT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Chris\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [3sFg34j] arpogmsg.exe
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [upelaj] C:\WINDOWS\upelaj.exe
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [vgltjeme] c:\windows\system32\vgltjeme.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [IBwmRQHqR] adpxcfg.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Chris\Application Data\wtta.exe
O4 - HKCU\..\Run: [Hqgw] C:\WINDOWS\System32\n?tepad.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Memory Stick Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\SYSTEM32\windialup\2490\dial.exe (file missing)
O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\SYSTEM32\windialup\2490\dial.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.game...nts/y/yt1_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/cs0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it0_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...ts/y/dct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt0_x.cab
O16 - DPF: Yahoo! Go - http://download.game...nts/y/gt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.game...nts/y/st2_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.game...nts/y/vtd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.game...ts/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/p...t/msnchat41.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave...ownloadCtrl.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/p...at/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_0_2_1.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


AdAware Log file follows:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R48 30.05.2005
Internal build : 56
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 479648 Bytes
Total size : 1449429 Bytes
Signature data size : 1417942 Bytes
Reference data size : 30975 Bytes
Signatures total : 40440
Fingerprints total : 895
Fingerprints size : 30725 Bytes
Target categories : 15
Target families : 685


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:61 %
Total physical memory:523808 kb
Available physical memory:316952 kb
Total page file size:1280068 kb
Available on page file:1122692 kb
Total virtual memory:2097024 kb
Available virtual memory:2041040 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-30-2005 11:25:09 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 380
ThreadCreationTime : 5-30-2005 3:17:09 PM
BasePriority : Normal


#:2 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : n/a
ProcessID : 508
ThreadCreationTime : 5-30-2005 3:17:19 PM
BasePriority : High


#:3 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : n/a
ProcessID : 552
ThreadCreationTime : 5-30-2005 3:17:20 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : n/a
ProcessID : 564
ThreadCreationTime : 5-30-2005 3:17:20 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:5 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : n/a
ProcessID : 724
ThreadCreationTime : 5-30-2005 3:17:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 780
ThreadCreationTime : 5-30-2005 3:17:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [spoolsv.exe]
ModuleName : C:\WINDOWS\system32\spoolsv.exe
Command Line : n/a
ProcessID : 1104
ThreadCreationTime : 5-30-2005 3:17:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:8 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1348
ThreadCreationTime : 5-30-2005 3:17:30 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:9 [hpsysdrv.exe]
ModuleName : C:\windows\system\hpsysdrv.exe
Command Line : "c:\windows\system\hpsysdrv.exe"
ProcessID : 1460
ThreadCreationTime : 5-30-2005 3:17:33 PM
BasePriority : Normal
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
ProductName : hpsysdrv
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
LegalCopyright : Copyright © 1998
OriginalFilename : hpsysdrv.exe

#:10 [usb.exe]
ModuleName : C:\WINDOWS\system32\usb.exe
Command Line : "C:\WINDOWS\system32\usb.exe"
ProcessID : 1504
ThreadCreationTime : 5-30-2005 3:17:33 PM
BasePriority : Normal


#:11 [svaplayer.exe]
ModuleName : C:\Program Files\SVA Player\SVAPLAYER.EXE
Command Line : "C:\Program Files\SVA Player\SVAPLAYER.EXE"
ProcessID : 1512
ThreadCreationTime : 5-30-2005 3:17:33 PM
BasePriority : Normal
FileVersion : 3.0.1b
ProductVersion : 3.0.1b
ProductName : SVA Player Plugin
CompanyName : QuickFlicks, Inc.
FileDescription : SVA Player Plugin
InternalName : SVAPLAYER
LegalCopyright : Copyright © 2000-2001 QuickFlicks, Inc. All Rights Reserved.
LegalTrademarks : SVA Player Plugin™ and QuickFlicks™ are trademarks of QuickFlicks, Inc.
OriginalFilename : SVAPLAYER.EXE

#:12 [hpztsb04.exe]
ModuleName : C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
Command Line : "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe"
ProcessID : 1528
ThreadCreationTime : 5-30-2005 3:17:33 PM
BasePriority : Normal
FileVersion : 2,76,0,0
ProductVersion : 2,76,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2001

#:13 [realsched.exe]
ModuleName : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Command Line : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
ProcessID : 1536
ThreadCreationTime : 5-30-2005 3:17:34 PM
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio™ is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:14 [qttask.exe]
ModuleName : C:\Program Files\QuickTime\qttask.exe
Command Line : "C:\Program Files\QuickTime\qttask.exe" -atboottime
ProcessID : 1548
ThreadCreationTime : 5-30-2005 3:17:34 PM
BasePriority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:15 [qoeloader.exe]
ModuleName : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
Command Line : "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
ProcessID : 1604
ThreadCreationTime : 5-30-2005 3:17:35 PM
BasePriority : Normal
FileVersion : 2.1.212.0
ProductVersion : 2.1.212.0
ProductName : QOELoader Application
CompanyName : Qurb, Inc.
FileDescription : QOELoader Application
InternalName : QOELoader
LegalCopyright : Copyright © 2002, 2003 Qurb, Inc. All rights reserved.
OriginalFilename : QOELoader.exe

#:16 [vettray.exe]
ModuleName : C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
Command Line : "C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe"
ProcessID : 1624
ThreadCreationTime : 5-30-2005 3:17:35 PM
BasePriority : Normal
FileVersion : Version 1.0
ProductName : VetTray
CompanyName : Computer Associates International, Inc.
FileDescription : Iconic notifier
InternalName : VetTray
LegalCopyright : Copyright © 1997-2001 Computer Associates International, Inc.
OriginalFilename : VetTray.exe

#:17 [ca.exe]
ModuleName : C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
Command Line : n/a
ProcessID : 1632
ThreadCreationTime : 5-30-2005 3:17:35 PM
BasePriority : Normal
FileVersion : 4.5.585.000
ProductVersion : 4.5.585.000
ProductName : EZ Firewall
CompanyName : Computer Associates
FileDescription : EZ Firewall
InternalName : ca
LegalCopyright : Copyright © 1998-2003, Computer Associates..............
OriginalFilename : ca.exe

#:18 [gcasserv.exe]
ModuleName : C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
Command Line : "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
ProcessID : 1640
ThreadCreationTime : 5-30-2005 3:17:35 PM
BasePriority : Idle
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasServ.exe

#:19 [money express.exe]
ModuleName : C:\Program Files\Microsoft Money\System\Money Express.exe
Command Line : "C:\Program Files\Microsoft Money\System\Money Express.exe"
ProcessID : 1664
ThreadCreationTime : 5-30-2005 3:17:35 PM
BasePriority : Normal
FileVersion : 10.00.0809
ProductVersion : 10.00.0809
ProductName : Microsoft Money
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : MoneyExpress
LegalCopyright : Copyright © Microsoft Corp. 1990-2001. All rights reserved.
OriginalFilename : MoneyExpress.EXE

#:20 [gcasdtserv.exe]
ModuleName : C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
Command Line : "C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe"
ProcessID : 1772
ThreadCreationTime : 5-30-2005 3:17:39 PM
BasePriority : Normal
FileVersion : 1.00.0509
ProductVersion : 1.00.0509
ProductName : Microsoft AntiSpyware (Beta 1)
CompanyName : Microsoft Corporation
FileDescription : Microsoft AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2004-2005 Microsoft Corporation. All rights reserved.
LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation. SpyNet™ is a trademark of Microsoft Corporation.
OriginalFilename : gcasDtServ.exe

#:21 [isafe.exe]
ModuleName : C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
Command Line : n/a
ProcessID : 1800
ThreadCreationTime : 5-30-2005 3:17:39 PM
BasePriority : Normal
FileVersion : Version 10.63.0.1
ProductVersion : Version 10.63.0.1
ProductName : ISafe
CompanyName : Computer Associates International, Inc.
FileDescription : ISafe Service
InternalName : ISafe
LegalCopyright : © 2003 Computer Associates International, Inc.
LegalTrademarks : Vet is a trademark of Computer Associates International, Inc.
OriginalFilename : ISafe.exe
Comments : ISafe

#:22 [nvsvc32.exe]
ModuleName : C:\WINDOWS\System32\nvsvc32.exe
Command Line : n/a
ProcessID : 1872
ThreadCreationTime : 5-30-2005 3:17:39 PM
BasePriority : Normal
FileVersion : 6.13.10.2832
ProductVersion : 6.13.10.2832
ProductName : NVIDIA Driver Helper Service, Version 28.32
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 28.32
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:23 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : n/a
ProcessID : 1996
ThreadCreationTime : 5-30-2005 3:17:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:24 [vetmsg.exe]
ModuleName : C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
Command Line : n/a
ProcessID : 188
ThreadCreationTime : 5-30-2005 3:17:41 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : vetmsg
CompanyName : Computer Associates International, Inc.
FileDescription : vetmsg
InternalName : vetmsg
LegalCopyright : Copyright © 1989-2003 Computer Associates International, Inc.
OriginalFilename : vetmsg.exe

#:25 [vsmon.exe]
ModuleName : C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Command Line : n/a
ProcessID : 288
ThreadCreationTime : 5-30-2005 3:17:41 PM
BasePriority : Normal
FileVersion : 4.5.585.000
ProductVersion : 4.5.585.000
ProductName : TrueVector Service
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2003, Zone Labs Inc.
OriginalFilename : vsmon.exe

#:26 [ymsgr_tray.exe]
ModuleName : C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
Command Line : "C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe" -ymsgr
ProcessID : 1304
ThreadCreationTime : 5-30-2005 3:17:57 PM
BasePriority : Normal


#:27 [msstat.exe]
ModuleName : C:\Program Files\MSAC-FD1\MSSTAT.EXE
Command Line : "C:\Program Files\MSAC-FD1\MSSTAT.EXE"
ProcessID : 888
ThreadCreationTime : 5-30-2005 3:18:02 PM
BasePriority : Normal
FileVersion : 1, 50, 1, 6
ProductVersion : 1, 50, 1, 6
ProductName : MSstat Application
CompanyName : Sony Corporation & SmartDisk Corporation
FileDescription : MSstat MFC Application
InternalName : MSstat
LegalCopyright : 1999-2000 Sony Corporation & SmartDisk Corporation
OriginalFilename : msstat.EXE

#:28 [wuauclt.exe]
ModuleName : C:\WINDOWS\System32\wuauclt.exe
Command Line : "C:\WINDOWS\System32\wuauclt.exe"
ProcessID : 2056
ThreadCreationTime : 5-30-2005 3:18:51 PM
BasePriority : Normal
FileVersion : 5.4.3790.2182 built by: srv03_rtm(ntvbl04)
ProductVersion : 5.4.3790.2182
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Automatic Updates
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe

#:29 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 2116
ThreadCreationTime : 5-30-2005 3:18:52 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Other Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2495073255-2969962186-290470409-1006\software\acceleration software international corporation

eAcceleration Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : S-1-5-21-2495073255-2969962186-290470409-1006\\software\acceleration software international corporation

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{9D74677A-E227-40fb-9511-F7E92EA4083A}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\internet explorer\extensions\cmdmapping
Value : {9D74677A-E227-40fb-9511-F7E92EA4083A}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : S-1-5-21-2495073255-2969962186-290470409-1006\software\lq
Value : AC

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\player\settings
Description : last save as directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\mediaplayer\preferences
Description : last search path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\common\open find\microsoft powerpoint\settings\insert picture\file name mru
Description : list of recent pictured inserted in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\excel\recent file list
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\office\8.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


MRU List Object Recognized!
Location: : S-1-5-21-2495073255-2969962186-290470409-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 37



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 37


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 37



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL & Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?294628
Object : C:\Documents and Settings\Chris\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL & Unlimited Internet.url
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/...ndex.adp?294628
Object : C:\Documents and Settings\Chris\Favorites\Links\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ebates MoneyMaker Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AT

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AC

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : U

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AD

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : I

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : AM

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : TR

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : country

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : city

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : state

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.8

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX2.9

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.0

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\lq
Value : RX3.1

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : VwrCtl.inf
Category : Malware
Comment : iwantsearch.com hijack
Object : C:\WINDOWS\downloaded program files\



Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 18
Objects found so far: 57

11:48:35 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:23:26.250
Objects scanned:193545
Objects identified:25
Objects ignored:0
New critical objects:25
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
First I'd like you to disable Spybot's Teatimer and Microsoft AntiSpyware's resident protection. You can put them back to work when you are clean, but for the moment they will only hinder us by guarding your settings.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.130.185.122/sidesearch.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE

O4 - HKLM\..\Run: [3sFg34j] arpogmsg.exe
O4 - HKLM\..\Run: [webscan] C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe -k
O4 - HKLM\..\Run: [upelaj] C:\WINDOWS\upelaj.exe
O4 - HKLM\..\Run: [sginst] C:\PROGRA~1\ACCELE~1\SCRIPT~1\sginst.exe /upd
O4 - HKLM\..\Run: [dguard] C:\PROGRA~1\ACCELE~1\DOWNLO~1\dguard.exe
O4 - HKLM\..\Run: [eanth_system_patcher] "C:\Program Files\Acceleration Software\SystemPatcher\sys_alert.exe" /Startup
O4 - HKLM\..\Run: [vgltjeme] c:\windows\system32\vgltjeme.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

O4 - HKCU\..\Run: [IBwmRQHqR] adpxcfg.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Chris\Application Data\wtta.exe
O4 - HKCU\..\Run: [Hqgw] C:\WINDOWS\System32\n?tepad.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe

O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\SYSTEM32\windialup\2490\dial.exe (file missing)
O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\SYSTEM32\windialup\2490\dial.exe (file missing)

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtange...smmp/wtinst.cab

O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab

Reboot into safe mode and delete:
C:\Program Files\SVA Player <= entire folder
C:\Program Files\Acceleration Software <= entire folder
c:\windows\system32\vgltjeme.exe
C:\Documents and Settings\Chris\Application Data\wtta.exe

Boot back to normal and post a new HijackThis log.

Regards,
  • 0

#3
SC_HoneyBee

SC_HoneyBee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, I believe that I did everything; but, the following files/folders did not exist, therefore they could not be deleted:

C:\Program Files\Acceleration Software <= entire folder
c:\windows\system32\vgltjeme.exe
C:\Documents and Settings\Chris\Application Data\wtta.exe

Oh, please accept my thanks for taking the time to help me with this...It's truly appreciated.

Here's my new HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:31 AM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\usb.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0

\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\ca.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Chris\Desktop\Hijack This\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\system32\cjyys.dll/sp.html#94115
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName

=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:

\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F

88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon

initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.

exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.

exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ

Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.

exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3

\ca.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft

Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.

Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!

\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search

& Destroy\TeaTimer.exe
O4 - Global Startup: Memory Stick Monitor.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program

Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD

55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/

cr.cab
O16 - DPF: JT's Blocks - http://download.game...m/games/clients

/y/blt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/

clients/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/

clients/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/

clients/y/yt1_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/

clients/y/kt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/

clients/y/cs0_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/

clients/y/it0_x.cab
O16 - DPF: Yahoo! Dice - http://download.game...m/games/clients

/y/dct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/

clients/y/dot2_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...m/games/clients

/y/dtt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/

clients/y/fltt0_x.cab
O16 - DPF: Yahoo! Go - http://download.game...games/clients/y

/gt0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/

clients/y/zt0_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/

clients/y/grt0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/

clients/y/tt0_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/

clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/

games/clients/y/mjst0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/

clients/y/potb_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/

clients/y/pyt0_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/

clients/y/st2_x.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/

games/clients/y/vtd_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/

clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/

clients/y/wt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com

Configuration Class) - http://activation.rr...stall/download/

tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) - http://go.microsoft....fwlink/?linkid=

36467&clcid=0x409
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com

/public/chat/msnchat41.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) -

http://www.worldwinn...5/pool/pool.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.

akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/

QuickTimeInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

http://us.games2.yim...es/play/client/

exentctl_0_0_0_1.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.

google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) -

http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class)

- http://fdl.msn.com/z...4/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload

Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl

Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)

- http://www.popcap.co...aploader_v6.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl

Control) - http://www.shockwave.../BTDownloadCtrl.

cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer

Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com

/public/chat/msnchat4.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) -

http://us.dl1.yimg.c...m/yiebio5_0_2_1.

cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.

5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International,

Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.

exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates

International, Inc. - C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\cjyys.dll/sp.html#94115

The rest looks OK to me.

Is your computer behaving now?

Regards,
  • 0

#5
SC_HoneyBee

SC_HoneyBee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
For the most part it seems to be behaving. I went back and tried to run the on-line scan. It still would not let me. So I tried to download the free version...and...

I got the following message...

*********
You are not authorized to view this page
You might not have permission to view this directory or page using the credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the www.trendmicro.com home page.

You can click Search to look for information on the Internet.
******


I get this message a lot. Do I have something set that will not allow for downloads?

Thanks again,
Christine
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you try and see if this kb article is any help:
http://support.micro...66&Product=ISAS

Upgrading XP and IE to SP2 might solve the issue and is a good idea anyway.

Regards,
  • 0

#7
SC_HoneyBee

SC_HoneyBee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for the info. I've been afraid to upgrade due to all the stuff I had going on. Guess it's time to bite the bullet...LOL

Thank you so much for all of your help. Without this site and your help I'd have been totally lost.

Best wishes to you,
Christine :tazz:
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
No problem. :tazz:

I'll leave this thread open so you can post any additional questions.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP