Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Persistent virus/hijacker [RESOLVED]


  • This topic is locked This topic is locked

#46
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download CleanUp
Install the program, dont run it yet, we will later.

Next, please reboot your computer in SafeMode

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Now check if Norton picks up any infections !!!!!!!! You can probably get only the c:\Windows folder and its sub-folders scanned.
  • 0

Advertisements


#47
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Done. Norton did not pick up anything.

The computer seems to be loading windows S-L-O-O-O-O-O-OW-W-W-W, though.

Spybot just told me Cleanup wanted to change the registry -- I allowed that.

Also, when I ran in safe mode, I had the option of logging in as Administrator or my normal log in. I ran this stuff in my normal log in. Will it make a difference?

Steve

Edited by MrSpkr, 21 September 2005 - 09:23 AM.

  • 0

#48
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Run the Clean Up again as Administrator.

In the Administrator mode it will clean up some of the files which your login account doesnt have access to. However, if your login profile has administrative rights, then it is not required to be run again.

Post a fresh HJT log. I will see if there are any processes which can be removed at startup to speed up the booting process
  • 0

#49
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Done.

Logfile of HijackThis v1.99.1
Scan saved at 10:09:39 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\vanguard.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


That was right when I logged in. After I ran HijackThis, (and while typing this up) I got the following report:

Logfile of HijackThis v1.99.1
Scan saved at 10:13:34 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Looking forward to your assistance.

Steve
  • 0

#50
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Run Hijack This and click on scan. The following items need to be fixed -

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

This will not delete the programs from your PC. This will only disable the programs from running at Start up and result in a faster PC. You can always run the programs manually by using the respective exe files or the shortcuts.

After this, please visit Windows security and critical updates and get all the updates and patches and install them on your PC.

Reboot the PC and post a fresh HJT log.
  • 0

#51
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
When I try to do the updates, I get this error:

[Error number: 0x80072EFD]

Please advise.

Steve
  • 0

#52
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Steve,


Seems to be a common occurence at Microsoft Site. They even have an article on it. Please read it here - http://support.micro...om/?kbid=836941


Try for the updates again.
  • 0

#53
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here you go. I also removed Spybot SD prior to installation.

Logfile of HijackThis v1.99.1
Scan saved at 7:12:34 PM, on 9/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


  • 0

#54
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
And now I am suffering from the memory issues I had earlier (screen blacking out occasionally, sometimes restoring, sometimes rebooting; "generic svchost error at boot.)

Argh.

Here is an adaware SE log:


Ad-Aware SE Build 1.06r1
Logfile Created on:Saturday, September 24, 2005 9:10:57 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R67 20.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):1 total references
MRU List(TAC index:0):26 total references
Tracking Cookie(TAC index:3):4 total references
WinFixer(TAC index:3):13 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R64 31.08.2005
Internal build : 75
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 515324 Bytes
Total size : 1551493 Bytes
Signature data size : 1518382 Bytes
Reference data size : 32599 Bytes
Signatures total : 43181
CSI Fingerprints total : 1032
CSI data size : 36709 Bytes
Target categories : 15
Target families : 740

9-24-2005 9:10:32 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R67 20.09.2005
Internal build : 79
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 524443 Bytes
Total size : 1576182 Bytes
Signature data size : 1543004 Bytes
Reference data size : 32666 Bytes
Signatures total : 43850
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 746


9-24-2005 9:10:43 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:56 %
Total physical memory:523632 kb
Available physical memory:288992 kb
Total page file size:1279920 kb
Available on page file:1059476 kb
Total virtual memory:2097024 kb
Available virtual memory:2045736 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


9-24-2005 9:10:57 PM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    ModuleName        : \SystemRoot\System32\smss.exe
    Command Line      : n/a
    ProcessID          : 988
    ThreadCreationTime : 9-25-2005 2:06:24 AM
    BasePriority      : Normal


#:2 [csrss.exe]
    ModuleName        : \??\C:\WINDOWS\system32\csrss.exe
    Command Line      : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
    ProcessID          : 1100
    ThreadCreationTime : 9-25-2005 2:06:27 AM
    BasePriority      : Normal


#:3 [winlogon.exe]
    ModuleName        : \??\C:\WINDOWS\system32\winlogon.exe
    Command Line      : winlogon.exe
    ProcessID          : 1132
    ThreadCreationTime : 9-25-2005 2:06:30 AM
    BasePriority      : High


#:4 [services.exe]
    ModuleName        : C:\WINDOWS\system32\services.exe
    Command Line      : C:\WINDOWS\system32\services.exe
    ProcessID          : 1176
    ThreadCreationTime : 9-25-2005 2:06:30 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName      : services.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : services.exe

#:5 [lsass.exe]
    ModuleName        : C:\WINDOWS\system32\lsass.exe
    Command Line      : C:\WINDOWS\system32\lsass.exe
    ProcessID          : 1188
    ThreadCreationTime : 9-25-2005 2:06:31 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName      : lsass.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : lsass.exe

#:6 [svchost.exe]
    ModuleName        : C:\WINDOWS\system32\svchost.exe
    Command Line      : C:\WINDOWS\system32\svchost -k DcomLaunch
    ProcessID          : 1436
    ThreadCreationTime : 9-25-2005 2:06:32 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:7 [svchost.exe]
    ModuleName        : C:\WINDOWS\system32\svchost.exe
    Command Line      : C:\WINDOWS\system32\svchost -k rpcss
    ProcessID          : 1504
    ThreadCreationTime : 9-25-2005 2:06:32 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:8 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k netsvcs
    ProcessID          : 1544
    ThreadCreationTime : 9-25-2005 2:06:32 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:9 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k NetworkService
    ProcessID          : 1612
    ThreadCreationTime : 9-25-2005 2:06:32 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:10 [svchost.exe]
    ModuleName        : C:\WINDOWS\System32\svchost.exe
    Command Line      : C:\WINDOWS\System32\svchost.exe -k LocalService
    ProcessID          : 1668
    ThreadCreationTime : 9-25-2005 2:06:33 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName      : svchost.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : svchost.exe

#:11 [spoolsv.exe]
    ModuleName        : C:\WINDOWS\system32\spoolsv.exe
    Command Line      : C:\WINDOWS\system32\spoolsv.exe
    ProcessID          : 2016
    ThreadCreationTime : 9-25-2005 2:06:34 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion    : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName      : spoolsv.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : spoolsv.exe

#:12 [scardsvr.exe]
    ModuleName        : C:\WINDOWS\System32\SCardSvr.exe
    Command Line      : C:\WINDOWS\System32\SCardSvr.exe
    ProcessID          : 156
    ThreadCreationTime : 9-25-2005 2:06:34 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Smart Card Resource Management Server
    InternalName      : SCardSvr.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : SCardSvr.exe

#:13 [ccevtmgr.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    ProcessID          : 224
    ThreadCreationTime : 9-25-2005 2:06:34 AM
    BasePriority      : Normal
    FileVersion        : 1.03.4
    ProductVersion    : 1.03.4
    ProductName        : Event Manager
    CompanyName        : Symantec Corporation
    FileDescription    : Event Manager Service
    InternalName      : ccEvtMgr
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccEvtMgr.exe

#:14 [navapsvc.exe]
    ModuleName        : C:\Program Files\Norton AntiVirus\navapsvc.exe
    Command Line      : "C:\Program Files\Norton AntiVirus\navapsvc.exe"
    ProcessID          : 328
    ThreadCreationTime : 9-25-2005 2:06:34 AM
    BasePriority      : Normal
    FileVersion        : 8.07.17
    ProductVersion    : 8.07.17
    ProductName        : Norton AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Norton AntiVirus Auto-Protect Service
    InternalName      : NAVAPSVC
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NAVAPSVC.EXE

#:15 [nisum.exe]
    ModuleName        : C:\Program Files\Norton Internet Security\NISUM.EXE
    Command Line      : "C:\Program Files\Norton Internet Security\NISUM.EXE"
    ProcessID          : 460
    ThreadCreationTime : 9-25-2005 2:06:34 AM
    BasePriority      : Normal
    FileVersion        : 6.02.2003
    ProductVersion    : 6.02.2003
    ProductName        : Norton Internet Security
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Internet Security NISUM
    InternalName      : NISUM
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NISUM.exe

#:16 [nvsvc32.exe]
    ModuleName        : C:\WINDOWS\System32\nvsvc32.exe
    Command Line      : C:\WINDOWS\System32\nvsvc32.exe
    ProcessID          : 592
    ThreadCreationTime : 9-25-2005 2:06:35 AM
    BasePriority      : Normal
    FileVersion        : 6.14.10.4422
    ProductVersion    : 6.14.10.4422
    ProductName        : NVIDIA Driver Helper Service, Version 44.22
    CompanyName        : NVIDIA Corporation
    FileDescription    : NVIDIA Driver Helper Service, Version 44.22
    InternalName      : NVSVC
    LegalCopyright    : © NVIDIA Corporation. All rights reserved.
    OriginalFilename  : nvsvc32.exe

#:17 [slserv.exe]
    ModuleName        : C:\WINDOWS\system32\slserv.exe
    Command Line      : slserv.exe
    ProcessID          : 660
    ThreadCreationTime : 9-25-2005 2:06:35 AM
    BasePriority      : Normal
    FileVersion        : 2.80.00(24Apr2000)
    ProductVersion    : 2.80.00
    ProductName        : Modem
    FileDescription    : User-Level Modem Service
    InternalName      : slserv
    LegalCopyright    : Copyright © 1999-2000
    OriginalFilename  : slserv.exe

#:18 [symwsc.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
    ProcessID          : 768
    ThreadCreationTime : 9-25-2005 2:06:35 AM
    BasePriority      : Normal
    FileVersion        : 2005.1.2.20
    ProductVersion    : 2005.1
    ProductName        : Norton Security Center
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Security Center Service
    InternalName      : SymWSC.exe
    LegalCopyright    : Copyright © 1997-2004 Symantec Corporation
    OriginalFilename  : SymWSC.exe

#:19 [ccpxysvc.exe]
    ModuleName        : C:\Program Files\Norton Internet Security\ccPxySvc.exe
    Command Line      : "C:\Program Files\Norton Internet Security\ccPxySvc.exe"
    ProcessID          : 808
    ThreadCreationTime : 9-25-2005 2:06:35 AM
    BasePriority      : Normal
    FileVersion        : 6.02.2003
    ProductVersion    : 6.02.2003
    ProductName        : Norton Internet Security
    CompanyName        : Symantec Corporation
    FileDescription    : Norton Internet Security Proxy Service
    InternalName      : ccPxySvc
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccPxySvc.exe

#:20 [alg.exe]
    ModuleName        : C:\WINDOWS\System32\alg.exe
    Command Line      : C:\WINDOWS\System32\alg.exe
    ProcessID          : 1112
    ThreadCreationTime : 9-25-2005 2:06:36 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Application Layer Gateway Service
    InternalName      : ALG.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : ALG.exe

#:21 [explorer.exe]
    ModuleName        : C:\WINDOWS\Explorer.EXE
    Command Line      : C:\WINDOWS\Explorer.EXE
    ProcessID          : 1784
    ThreadCreationTime : 9-25-2005 2:06:57 AM
    BasePriority      : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName      : explorer
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : EXPLORER.EXE

#:22 [incd.exe]
    ModuleName        : C:\Program Files\Ahead\InCD\InCD.exe
    Command Line      : "C:\Program Files\Ahead\InCD\InCD.exe"
    ProcessID          : 1916
    ThreadCreationTime : 9-25-2005 2:07:03 AM
    BasePriority      : Normal


#:23 [point32.exe]
    ModuleName        : C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    Command Line      : "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
    ProcessID          : 380
    ThreadCreationTime : 9-25-2005 2:07:03 AM
    BasePriority      : Normal


#:24 [ccapp.exe]
    ModuleName        : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    Command Line      : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ProcessID          : 1920
    ThreadCreationTime : 9-25-2005 2:07:03 AM
    BasePriority      : Normal
    FileVersion        : 1.0.10.006
    ProductVersion    : 1.0.10.006
    ProductName        : Common Client
    CompanyName        : Symantec Corporation
    FileDescription    : Common Client CC App
    InternalName      : ccApp
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : ccApp.exe

#:25 [realsched.exe]
    ModuleName        : C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    Command Line      : "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
    ProcessID          : 1956
    ThreadCreationTime : 9-25-2005 2:07:04 AM
    BasePriority      : Normal
    FileVersion        : 0.1.0.3275
    ProductVersion    : 0.1.0.3275
    ProductName        : RealPlayer (32-bit)
    CompanyName        : RealNetworks, Inc.
    FileDescription    : RealNetworks Scheduler
    InternalName      : schedapp
    LegalCopyright    : Copyright © RealNetworks, Inc. 1995-2004
    LegalTrademarks    : RealAudio™ is a trademark of RealNetworks, Inc.
    OriginalFilename  : realsched.exe

#:26 [navapw32.exe]
    ModuleName        : C:\PROGRA~1\NORTON~2\navapw32.exe
    Command Line      : "C:\PROGRA~1\NORTON~2\navapw32.exe"
    ProcessID          : 1964
    ThreadCreationTime : 9-25-2005 2:07:04 AM
    BasePriority      : Normal
    FileVersion        : 8.07.17
    ProductVersion    : 8.07.17
    ProductName        : Norton AntiVirus
    CompanyName        : Symantec Corporation
    FileDescription    : Norton AntiVirus Agent
    InternalName      : NAVAPW32
    LegalCopyright    : Copyright © 2000-2002 Symantec Corporation. All rights reserved.
    OriginalFilename  : NAVAPW32.EXE

#:27 [jusched.exe]
    ModuleName        : C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    Command Line      : "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
    ProcessID          : 2132
    ThreadCreationTime : 9-25-2005 2:07:04 AM
    BasePriority      : Normal


#:28 [ituneshelper.exe]
    ModuleName        : C:\Program Files\iTunes\iTunesHelper.exe
    Command Line      : "C:\Program Files\iTunes\iTunesHelper.exe"
    ProcessID          : 2280
    ThreadCreationTime : 9-25-2005 2:07:05 AM
    BasePriority      : Normal
    FileVersion        : 5.0.1.4
    ProductVersion    : 5.0.1.4
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iTunesHelper Module
    InternalName      : iTunesHelper
    LegalCopyright    : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename  : iTunesHelper.exe

#:29 [qttask.exe]
    ModuleName        : C:\Program Files\QuickTime\qttask.exe
    Command Line      : "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ProcessID          : 2444
    ThreadCreationTime : 9-25-2005 2:07:06 AM
    BasePriority      : Normal
    FileVersion        : 7.0.2
    ProductVersion    : QuickTime 7.0.2
    ProductName        : QuickTime
    CompanyName        : Apple Computer, Inc.
    FileDescription    : QuickTime Task
    InternalName      : QuickTime Task
    LegalCopyright    : Copyright Apple Computer, Inc. 1989-2005
    OriginalFilename  : QTTask.exe

#:30 [msmsgs.exe]
    ModuleName        : C:\Program Files\Messenger\msmsgs.exe
    Command Line      : "C:\Program Files\Messenger\msmsgs.exe" /background
    ProcessID          : 2612
    ThreadCreationTime : 9-25-2005 2:07:07 AM
    BasePriority      : Normal
    FileVersion        : 4.7.3001
    ProductVersion    : Version 4.7.3001
    ProductName        : Messenger
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Messenger
    InternalName      : msmsgs
    LegalCopyright    : Copyright © Microsoft Corporation 2004
    LegalTrademarks    : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename  : msmsgs.exe

#:31 [ipodservice.exe]
    ModuleName        : C:\Program Files\iPod\bin\iPodService.exe
    Command Line      : "C:\Program Files\iPod\bin\iPodService.exe"
    ProcessID          : 2676
    ThreadCreationTime : 9-25-2005 2:07:08 AM
    BasePriority      : Normal
    FileVersion        : 5.0.1.4
    ProductVersion    : 5.0.1.4
    ProductName        : iTunes
    CompanyName        : Apple Computer, Inc.
    FileDescription    : iPodService Module
    InternalName      : iPodService
    LegalCopyright    : © 2003-2005 Apple Computer, Inc. All Rights Reserved.
    OriginalFilename  : iPodService.exe

#:32 [odhost.exe]
    ModuleName        : C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    Command Line      : "C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe"
    ProcessID          : 2824
    ThreadCreationTime : 9-25-2005 2:07:14 AM
    BasePriority      : Normal
    FileVersion        : 1, 0, 0, 1
    ProductVersion    : 1, 0, 0, 1
    FileDescription    : Odyssey COM Host
    InternalName      : OdHost
    LegalCopyright    : Copyright © 2003
    OriginalFilename  : Odhost.exe

#:33 [wpc54cfg.exe]
    ModuleName        : C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
    Command Line      : "C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe"
    ProcessID          : 2844
    ThreadCreationTime : 9-25-2005 2:07:16 AM
    BasePriority      : Normal
    FileVersion        : 2.0.2.21
    ProductVersion    : 1.3.0.1
    ProductName        : Linksys Instant WLAN Monitor
    CompanyName        : The Linksys Group, Inc.
    FileDescription    : Linksys Instant WLAN Monitor
    InternalName      : WLANMonitor.EXE
    LegalCopyright    : Copyright © 2003, Linksys
    LegalTrademarks    : Instant Wireless
    OriginalFilename  : WLANMonitor.EXE
    Comments          : Linksys Instant WLAN Monitor

#:34 [wuauclt.exe]
    ModuleName        : C:\WINDOWS\system32\wuauclt.exe
    Command Line      : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[608]SUSDS652ded7f299b094895b98f5519ef9dfe
    ProcessID          : 1944
    ThreadCreationTime : 9-25-2005 2:07:21 AM
    BasePriority      : Normal
    FileVersion        : 5.8.0.2469 built by: lab01_n(wmbla)
    ProductVersion    : 5.8.0.2469
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Automatic Updates
    InternalName      : wuauclt.exe
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : wuauclt.exe

#:35 [iexplore.exe]
    ModuleName        : C:\Program Files\Internet Explorer\iexplore.exe
    Command Line      : "C:\Program Files\Internet Explorer\iexplore.exe"
    ProcessID          : 2116
    ThreadCreationTime : 9-25-2005 2:07:54 AM
    BasePriority      : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName      : iexplore
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : IEXPLORE.EXE

#:36 [notepad.exe]
    ModuleName        : C:\WINDOWS\system32\NOTEPAD.EXE
    Command Line      : "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Documents and Settings\Stephen Hines\Desktop\45.txt
    ProcessID          : 472
    ThreadCreationTime : 9-25-2005 2:08:06 AM
    BasePriority      : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion    : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Notepad
    InternalName      : Notepad
    LegalCopyright    : © Microsoft Corporation. All rights reserved.
    OriginalFilename  : NOTEPAD.EXE

#:37 [ad-aware.exe]
    ModuleName        : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    Command Line      : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
    ProcessID          : 3968
    ThreadCreationTime : 9-25-2005 2:10:23 AM
    BasePriority      : Normal
    FileVersion        : 6.2.0.236
    ProductVersion    : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName      : Ad-Aware.exe
    LegalCopyright    : Copyright © Lavasoft AB Sweden
    OriginalFilename  : Ad-Aware.exe
    Comments          : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : appid\{8c65aef6-e413-4314-815b-82717a3f1603}

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : appid\checkproduct2.dll

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}

WinFixer Object Recognized!
    Type              : RegValue
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}
    Value              : AppID

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}

Alexa Object Recognized!
    Type              : RegValue
    Data              :
    TAC Rating        : 5
    Category          : Data Miner
    Comment            : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
    Rootkey            : HKEY_USERS
    Object            : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\internet explorer\extensions\cmdmapping
    Value              : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 7
Objects found so far: 7


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            : ({C427B3E3-28DC-4001-9590-D99B6776119B})
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : CheckProduct2.CheckProduct

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            : ({C427B3E3-28DC-4001-9590-D99B6776119B})
    Rootkey            : HKEY_CLASSES_ROOT
    Object            : CheckProduct2.CheckProduct.1

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 9

MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Stephen Hines\Application Data\microsoft\office\recent
    Description        : list of recently opened documents using microsoft office


MRU List Object Recognized!
    Location:          : C:\Documents and Settings\Stephen Hines\recent
    Description        : list of recently opened documents


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\corel\user assistant\10\recent work\wordperfect\last opened
    Description        : list of recently opened documents in corel wordperfect


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\corel\user assistant\10\recent work\wordperfect\last opened
    Description        : list of recently opened documents in corel wordperfect


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\google\navclient\1.1\history
    Description        : list of recently used search terms in the google toolbar


MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\internet explorer\typedurls
    Description        : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\mediaplayer\player\settings
    Description        : last open directory used in jasc paint shop pro


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\mediaplayer\preferences
    Description        : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\mediaplayer\preferences
    Description        : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\search assistant\acmru
    Description        : list of recent search terms used with the search assistant


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list
    Description        : list of recent files opened using wordpad


MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


MRU List Object Recognized!
    Location:          : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


MRU List Object Recognized!
    Location:          : S-1-5-18\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\nico mak computing\winzip\filemenu
    Description        : winzip recently used archives


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\realnetworks\realplayer\6.0\preferences
    Description        : list of recent skins in realplayer


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\realnetworks\realplayer\6.0\preferences
    Description        : list of recent clips in realplayer


MRU List Object Recognized!
    Location:          : S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\windows media\wmsdk\general
    Description        : windows media sdk



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
    Type              : IECache Entry
    Data              : stephen hines@adserver.trb[2].txt
    TAC Rating        : 3
    Category          : Data Miner
    Comment            : Hits:2
    Value              : Cookie:stephen hines@adserver.trb.com/
    Expires            : 12-30-2037 11:00:00 AM
    LastSync          : Hits:2
    UseCount          : 0
    Hits              : 2

Tracking Cookie Object Recognized!
    Type              : IECache Entry
    Data              : stephen hines@statcounter[2].txt
    TAC Rating        : 3
    Category          : Data Miner
    Comment            : Hits:12
    Value              : Cookie:stephen hines@statcounter.com/
    Expires            : 9-23-2010 12:49:24 AM
    LastSync          : Hits:12
    UseCount          : 0
    Hits              : 12

Tracking Cookie Object Recognized!
    Type              : IECache Entry
    Data              : stephen hines@landing.domainsponsor[1].txt
    TAC Rating        : 3
    Category          : Data Miner
    Comment            : Hits:5
    Value              : Cookie:stephen hines@landing.domainsponsor.com/
    Expires            : 9-22-2007 11:15:48 PM
    LastSync          : Hits:5
    UseCount          : 0
    Hits              : 5

Tracking Cookie Object Recognized!
    Type              : IECache Entry
    Data              : stephen hines@cgi-bin[2].txt
    TAC Rating        : 3
    Category          : Data Miner
    Comment            : Hits:3
    Value              : Cookie:stephen hines@www5.addfreestats.com/cgi-bin
    Expires            : 2-27-2015 7:00:00 PM
    LastSync          : Hits:3
    UseCount          : 0
    Hits              : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 39



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
    Type              : File
    Data              : PCheck.dll
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Object            : C:\Program Files\Common Files\WinSoftware\
    FileVersion        : 1.0.4.0
    ProductVersion    : 1.0.4.0
    ProductName        : Products Checker
    CompanyName        : WinSoftware, Ltd.
    FileDescription    : Products Checker
    InternalName      : PCheck.dll
    LegalCopyright    : 2005 © WinSoftware, Ltd. All rights reserved.
    OriginalFilename  : PCheck.dll


WinFixer Object Recognized!
    Type              : File
    Data              : UWFX5LP_0001_0803NetInstaller.exe
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Object            : C:\WINDOWS\Downloaded Program Files\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 41


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 41




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_CURRENT_USER
    Object            : software\microsoft\windows\currentversion\explorer\bitbucket\c

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : system\controlset001\enum\root\legacy_df_kmd

WinFixer Object Recognized!
    Type              : Regkey
    Data              :
    TAC Rating        : 3
    Category          : Misc
    Comment            :
    Rootkey            : HKEY_LOCAL_MACHINE
    Object            : system\currentcontrolset\enum\root\legacy_df_kmd

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 44

9:21:01 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:10:04.234
Objects scanned:116864
Objects identified:18
Objects ignored:0
New critical objects:18


Steve

Edited by MrSpkr, 24 September 2005 - 08:24 PM.

  • 0

#55
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,


Did you get the new issues after you posted the HJT log ??

Can you post a fresh HJT log??

The infection - Winfixer - shows up in some specific places in HJT log but is now visible in the previous log you posted.
  • 0

Advertisements


#56
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here is the most recent HijackThis! log (done about five minutes ago):

Logfile of HijackThis v1.99.1
Scan saved at 1:49:31 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



This afternoon, I did not get the "svchost.exe" generic error I had been getting previously; however, I am still experiencing the "blackouts" occasionally. The blackouts (or memory issues) seem to occur mostly when I scroll up and down a long web page or when I first try to use the mouse wheel. I have not had this problem before.

The slow logon times have seemed to go away -- I suspect deleting Spybot SD and deactivating SpySweeper have something to do with that.

Steve

Edited by MrSpkr, 25 September 2005 - 12:57 PM.

  • 0

#57
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Copy the part in bold below into notepad and save it as fix.reg
Save as type:All files (The first line in the file should be REGEDIT4)


REGEDIT4

[-HKEY_CLASSES_ROOT\appid\{8c65aef6-e413-4314-815b-82717a3f1603}]

[-HKEY_CLASSES_ROOT\appid\checkproduct2.dll]

[-HKEY_CLASSES_ROOT\clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}]

[-HKEY_CLASSES_ROOT\clsid\{c427b3e3-28dc-4001-9590-d99b6776119b}]

[-HKEY_CLASSES_ROOT\interface\{4f79d1c5-24f9-4e59-8022-604d4b41d5ca}]

[-HKEY_CLASSES_ROOT\typelib\{30ed49a5-ca6c-4918-b5f3-5e6818c91d8b}]

[-HKEY_USERS\S-1-5-21-861567501-1715567821-1801674531-1003\software\microsoft\internet explorer\extensions\cmdmapping]
"{c95fe080-8f5d-11d2-a20b-00aa003c157a}"=-

[-HKEY_CLASSES_ROOT\CheckProduct2.CheckProduct]

[-HKEY_CLASSES_ROOT\CheckProduct2.CheckProduct.1]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\bitbucket\c]

[-HKEY_LOCAL_MACHINE\system\controlset001\enum\root\legacy_df_kmd]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_df_kmd]



Open Add or Remove Programs (click on Start ---> Settings ---> Control panel. This should be the 3rd item). Uninstall or remove the following items -

Winsoftware

Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"

C:\Program Files\Common Files\WinSoftware\PCheck.dll
C:\Program Files\Common Files\WinSoftware
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe


As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Now Locate and DoubleClick fix.reg-> Allow it to merge into the Registry!

Restart back in Normal Mode and Post a fresh HijackThis log! Also check if Ad Aware finds any items.
  • 0

#58
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
There is no program called "winsoftware" in the control panel's "add/delete programs" list.

Am downloading killbox and running.

Steve

UPDATE:

I crashed out on the third program you told me to kill in Killbox (after several blackouts) -- though tht e log shows the file was deleted.

Also, I have no idea where to look for "fix.reg" -- I did a search and could not find it. Please advise.

Edited by MrSpkr, 25 September 2005 - 03:59 PM.

  • 0

#59
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
The big box in the quotes - that has to be saved in a text file and named as fix.reg.

Please read the instructions carefully.

Once you have saved the text file, it should be easy to locate it.
  • 0

#60
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Doh! :tazz:

Doing it now.

Steve
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP