[Solved] HijackThis log look it over please (merged)

Chief ADFP · May 12, 2004

Logfile of HijackThis v1.97.7
Scan saved at 9:44:04 PM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\GWHotKey.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Documents and Settings\Chief ADFP\Desktop\New Folder (2)\HijackThis.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0703562B-7878-4525-880C-4A52CB30B830} - C:\WINDOWS\hwoaet.dll
O2 - BHO: (no name) - {4E301C75-F1B3-4F23-A03F-ED5F107F400B} - C:\WINDOWS\jxrdo.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250

Please look it over and tell me what you see and i need to do, look when it come to spyware/adware/high jack items i am totally blind to it. so really like to know what is what in this report. thanks

Chief ADFP · May 12, 2004

Re: HijackThis log look it over please

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Wednesday, May 12, 2004 1:58:52 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R303 08.05.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R303 08.05.2004
Internal build : 235
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\reflist.ref
Total size : 1096786 Bytes
Signature data size : 1078166 Bytes
Reference data size : 18556 Bytes
Signatures total : 24182
Target categories : 10
Target families : 463

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:22 %
Total physical memory:261424 kb
Available physical memory:55952 kb
Total page file size:1022324 kb
Available on page file:745072 kb
Total virtual memory:2097024 kb
Available virtual memory:2057252 kb
OS:

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

5-12-2004 1:58:52 AM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 5-12-2004 3:04:57 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 5-12-2004 3:05:03 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-12-2004 3:05:04 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 4:00:00 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/23/2001 4:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-12-2004 3:05:04 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 7/19/2002 11:45:32 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/29/2002 10:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-12-2004 3:05:08 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 4:00:00 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/23/2001 4:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:05:08 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 4:00:00 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/23/2001 4:00:00 PM

#:7 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 5-12-2004 3:05:09 AM
BasePriority : Normal
FileSize : 828 KB
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
Copyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
CompanyName : Ahead Software AG
FileDescription : incdsrv
InternalName : incdsrv
OriginalFilename : incdsrv.exe
ProductName : Ahead Software AG incdsrv
Created on : 4/25/2004 8:42:30 AM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 2/27/2004 9:02:02 PM

#:8 [smc.exe]
FilePath : C:\Program Files\Sygate\SPF\
ThreadCreationTime : 5-12-2004 3:05:10 AM
BasePriority : Normal
FileSize : 2289 KB
FileVersion : 5.5.00.2525
ProductVersion : 5.5.00.2525
Copyright : Copyright
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
OriginalFilename : Smc.EXE
ProductName : Sygate
Created on : 12/24/2003 7:44:56 PM
Last accessed : 5/12/2004 6:15:40 AM
Last modified : 12/24/2003 7:44:56 PM

#:9 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-12-2004 3:05:13 AM
BasePriority : Normal
FileSize : 973 KB
FileVersion : 6.00.2800.1221 (xpsp2.030511-1403)
ProductVersion : 6.00.2800.1221
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 5/12/2003 5:12:10 AM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 5/12/2003 5:12:10 AM

#:10 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 5-12-2004 3:05:16 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 4:00:00 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/23/2001 4:00:00 PM

#:11 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:05:22 AM
BasePriority : Normal
FileSize : 25 KB
FileVersion : 1, 0, 0, 22
ProductVersion : 1, 0, 0, 22
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 2/22/2004 10:41:57 AM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 3/21/2001 10:27:00 PM

#:12 [aswupdsv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ThreadCreationTime : 5-12-2004 3:05:22 AM
BasePriority : Normal
FileSize : 52 KB
Created on : 4/22/2004 2:20:08 AM
Last accessed : 5/12/2004 6:41:01 AM
Last modified : 4/21/2004 2:22:39 PM

#:13 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 5-12-2004 3:05:23 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/23/2068 4:44:46 AM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 2/23/2004 4:44:44 AM

#:14 [ashdisp.exe]
FilePath : C:\PROGRA~1\ALWILS~1\Avast4\
ThreadCreationTime : 5-12-2004 3:05:23 AM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 4, 1, 357, 0
ProductVersion : 4, 1, 0, 0
Copyright : Copyright (c) 2003 ALWIL Software
FileDescription : avast! service GUI component
InternalName : aswDisp
OriginalFilename : aswDisp.exe
ProductName : avast! Antivirus
Created on : 4/22/2004 2:20:08 AM
Last accessed : 5/12/2004 6:41:01 AM
Last modified : 4/21/2004 2:28:58 PM

#:15 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 5-12-2004 3:05:23 AM
BasePriority : Normal
FileSize : 1240 KB
FileVersion : 4, 1, 5, 10
ProductVersion : 4, 1, 5, 10
Copyright : Copyright 1995-2004 Ahead Software AG and its licensors. All Rights Reserved.
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
OriginalFilename : InCD.exe
ProductName : Ahead Software AG InCD
Created on : 4/25/2004 8:42:29 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 2/27/2004 9:02:32 PM

#:16 [gwhotkey.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 5-12-2004 3:05:23 AM
BasePriority : Normal
FileSize : 96 KB
FileVersion : 6.5
ProductVersion : 6.5
Copyright : Copyright
CompanyName : BillP Studios
FileDescription : Multi-function Keyboard By Bill Pytlovany
ProductName : Gateway Multi-function Keyboard Utility
Created on : 4/26/2004 10:05:29 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 8/28/2001 4:13:28 PM

#:17 [popups~1.exe]
FilePath : C:\PROGRA~1\PANICW~1\POP-UP~1\
ThreadCreationTime : 5-12-2004 3:05:23 AM
BasePriority : Normal
FileSize : 496 KB
FileVersion : 1, 60, 0, 1002
ProductVersion : 1, 60, 0, 1002
Copyright : Copyright (C) 2002-2004
CompanyName : Panicware, Inc.
FileDescription : Pop-Up Stopper Professional
InternalName : Pop-Up Stopper Professional
OriginalFilename : PSProfessional.exe
ProductName : Pop-Up Stopper Professional

#:18 [ashserv.exe]
FilePath : C:\Program Files\Alwil Software\Avast4\
ThreadCreationTime : 5-12-2004 3:05:24 AM
BasePriority : High
FileSize : 68 KB
FileVersion : 4, 1, 357, 0
ProductVersion : 4, 1, 0, 0
Copyright : Copyright (c) 2003 ALWIL Software
FileDescription : avast! antivirus service
InternalName : aswServ
OriginalFilename : aswServ.exe
ProductName : avast! Antivirus
Created on : 4/22/2004 2:20:08 AM
Last accessed : 5/12/2004 6:41:01 AM
Last modified : 4/21/2004 2:28:55 PM

#:19 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:05:29 AM
BasePriority : Normal
FileSize : 43 KB
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
Copyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
OriginalFilename : CTsvcCDA.EXE
ProductName : Creative Service for CDROM Access
Created on : 2/23/2004 1:08:50 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 12/13/1999 9:01:00 AM

#:20 [mxtask.exe]
FilePath : C:\PROGRA~1\VCOM\Fix-It\
ThreadCreationTime : 5-12-2004 3:05:29 AM
BasePriority : Normal
FileSize : 180 KB
FileVersion : 5.0.0.7
Copyright : Copyright
CompanyName : V Communications, Inc.
FileDescription : The background task server
InternalName : MXTask
OriginalFilename : MXTask.exe
Created on : 6/11/2003 12:31:00 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 6/11/2003 12:31:00 AM

#:21 [appservices.exe]
FilePath : C:\PROGRA~1\Iomega\System32\
ThreadCreationTime : 5-12-2004 3:05:29 AM
BasePriority : Normal
FileSize : 72 KB
FileVersion : 2, 0, 4, 2
ProductVersion : 2, 0, 4, 2
Copyright : Copyright
CompanyName : Iomega Corporation
FileDescription : AppServices
InternalName : AppServices
OriginalFilename : AppService.exe
ProductName : Iomega App Services
Created on : 9/24/2003 6:01:05 PM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 9/24/2003 2:00:34 PM

#:22 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:05:30 AM
BasePriority : Normal
FileSize : 108 KB
FileVersion : 6.14.10.5672
ProductVersion : 6.14.10.5672
Copyright : (C) NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 56.72
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 56.72
Created on : 3/24/2004 3:04:00 PM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 3/24/2004 3:04:00 PM

#:23 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:05:30 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-114
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 4:00:00 PM
Last accessed : 5/12/2004 6:58:52 AM
Last modified : 8/23/2001 4:00:00 PM

#:24 [mxtask.exe]
FilePath : C:\PROGRA~1\VCOM\Fix-It\
ThreadCreationTime : 5-12-2004 3:06:37 AM
BasePriority : Normal
FileSize : 180 KB
FileVersion : 5.0.0.7
Copyright : Copyright
CompanyName : V Communications, Inc.
FileDescription : The background task server
InternalName : MXTask
OriginalFilename : MXTask.exe
Created on : 6/11/2003 12:31:00 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 6/11/2003 12:31:00 AM

#:25 [wintv2k.exe]
FilePath : C:\Program Files\WinTV\
ThreadCreationTime : 5-12-2004 3:33:51 AM
BasePriority : Normal
FileSize : 3480 KB
FileVersion : 4.0.21126
ProductVersion : 4.0.21126
Copyright : Copyright (C) 1998-2003 Hauppauge Computer Works, Inc.
CompanyName : Hauppauge Computer Works
FileDescription : WinTV2000 Application
InternalName : WinTV2K
OriginalFilename : WinTV2K.EXE
ProductName : WinTV2000 Application
Created on : 2/22/2004 10:51:53 AM
Last accessed : 5/12/2004 6:39:20 AM
Last modified : 5/6/2003 11:16:32 PM

#:26 [taskmgr.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 5-12-2004 3:55:26 AM
BasePriority : High
FileSize : 125 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
OriginalFilename : taskmgr.exe
ProductName : Microsoft
Created on : 2/23/2004 6:12:51 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 8/29/2002 10:41:28 AM

#:27 [wmcache.exe]
FilePath : C:\PROGRA~1\Digimarc\IMAGEB~1\
ThreadCreationTime : 5-12-2004 4:47:58 AM
BasePriority : Normal
FileSize : 332 KB
FileVersion : 2.51.0048
ProductVersion : 2.51.0048
Copyright : Copyright
CompanyName : Digimarc Corporation
FileDescription : Watermark Cache Server
InternalName : Watermark Cache Server
OriginalFilename : WMCache.dll
Created on : 2/24/2004 7:43:43 AM
Last accessed : 5/12/2004 6:58:53 AM
Last modified : 3/18/2002 11:36:02 PM

#:28 [idman.exe]
FilePath : C:\Program Files\Internet Download Manager\
ThreadCreationTime : 5-12-2004 5:08:48 AM
BasePriority : Normal
FileSize : 447 KB
FileVersion : 4, 0, 1, 2
ProductVersion : 4, 0, 1, 2
Copyright : Copyright (C) 2003
CompanyName : Internet Download Manager Corp., Tonec Inc.
FileDescription : Internet Download Manager Application (IDM)
InternalName : Internet Download Manager
OriginalFilename : IDMan.exe
ProductName : Internet Download Manager (IDM)
Created on : 4/22/2004 1:34:39 PM
Last accessed : 5/12/2004 6:58:54 AM
Last modified : 4/30/2004 1:46:38 PM

#:29 [snagit32.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 7\
ThreadCreationTime : 5-12-2004 5:45:16 AM
BasePriority : Normal
FileSize : 3248 KB
FileVersion : 7.0.3.0
ProductVersion : 7.0.3
Copyright : Copyright
CompanyName : TechSmith Corporation
FileDescription : SnagIt Screen Capture for Windows
InternalName : SNAGIT
OriginalFilename : SNAGIT32.EXE
ProductName : SnagIt
Created on : 4/17/2004 10:33:54 AM
Last accessed : 5/12/2004 6:58:54 AM
Last modified : 1/26/2004 12:03:00 PM

#:30 [tschelp.exe]
FilePath : C:\Program Files\TechSmith\SnagIt 7\
ThreadCreationTime : 5-12-2004 5:45:19 AM
BasePriority : Normal
FileSize : 25 KB
FileVersion : 1.0.0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright
CompanyName : TechSmith Corporation
FileDescription : TechSmith HTML Help Helper
InternalName : TscHelp
OriginalFilename : TscHelp.exe
ProductName : TechSmith HTML Help Helper
Created on : 4/17/2004 10:33:59 AM
Last accessed : 5/12/2004 6:58:54 AM
Last modified : 1/26/2004 12:03:00 PM

#:31 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ThreadCreationTime : 5-12-2004 6:58:23 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 4/26/2004 10:21:49 PM
Last accessed : 5/12/2004 6:58:24 AM
Last modified : 7/13/2003 2:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Roings Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\roimoi

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 1

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Roings Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\ssprint

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2

2:03:10 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:04:15:708
Objects scanned :50529
Objects identified :2
Objects ignored :0
New objects :2

[don't know if this help any]

dvk01 · May 12, 2004

Re: HijackThis log look it over please

first copy these files and zip them and send to submit@thespykiller.co.uk with a short note referring to this thread
C:\WINDOWS\hwoaet.dll
C:\WINDOWS\jxrdo.dll

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0703562B-7878-4525-880C-4A52CB30B830} - C:\WINDOWS\hwoaet.dll
O2 - BHO: (no name) - {4E301C75-F1B3-4F23-A03F-ED5F107F400B} - C:\WINDOWS\jxrdo.dll
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

Chief ADFP · May 12, 2004

Re: HijackThis log look it over please

Zip-file name: reporting.zip
File size: 46.3 KB (47,455 bytes)
e-mail been send out at this time with the attachment

at this time doing what you have said to do after this post will be following thru after i print it out.

dvk01 · May 12, 2004

Re: HijackThis log look it over please

OK they both appear to be new versions of Roings, make sure they are fixed as above

I'm sending them on to the developers to include in updates

Chief ADFP · May 12, 2004

Re: HijackThis log look it over please

ok all done
Here the new listing to look over and thank you.
==========================================================[MOVE]Thank you so much[/MOVE]
By the way is Windows Xp Pro (OEM) NTFS/Fat32 Home user
1-HHD split in to 2-HHD C: (NTFS)main & H: (FAT32) I use this for games online only.
==========================================================
Logfile of HijackThis v1.97.7
Scan saved at 7:20:29 AM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\GWHotKey.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Documents and Settings\Chief ADFP\Desktop\New Folder (2)\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250

dvk01 · May 12, 2004

Re: HijackThis log look it over please

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

& it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Chief ADFP · May 16, 2004

Re: HijackThis log look it over please

dvk01 said:

first copy these files and zip them and send to submit@thespykiller.co.uk with a short note referring to this thread
C:\WINDOWS\hwoaet.dll
C:\WINDOWS\jxrdo.dll

Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0703562B-7878-4525-880C-4A52CB30B830} - C:\WINDOWS\hwoaet.dll
O2 - BHO: (no name) - {4E301C75-F1B3-4F23-A03F-ED5F107F400B} - C:\WINDOWS\jxrdo.dll
O3 - Toolbar: (no name) - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
Click to expand...

I did as you said some reason Quicktime got back in?
Log file:
Logfile of HijackThis v1.97.7
Scan saved at 2:13:03 AM, on 5/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Documents and Settings\Chief ADFP\Desktop\New Folder (2)\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250
=========End of the HiJackThis log-file===========================
I remove them to items that ref; to quicktime already please have a 2nd look over the list to see if i need to do more.

dvk01 · May 16, 2004

Re: HijackThis log look it over please

it all looks OK now

No need to worry about quicktime, the only reason for removing it originally was that they have released a security update to cure a massive hole that lets several hijackers on and when it is needed a new updated version would have been prompted to be downloaded, provided you had your security settings set correctly

Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

Chief ADFP · May 23, 2004

Re: HijackThis log look it over please

I instill Quick time 6 pro Vr 6.5.1
like to have the new updated log look over please:

Logfile of HijackThis v1.97.7
Scan saved at 10:36:38 AM, on 5/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\Documents and Settings\Chief ADFP\Desktop\New Folder (2)\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.126.128.40 216.126.136.250

All so it don't list all my drives there are 2 of them C: and H:this is not listed when it dose the scan?

Chief ADFP · Jun 4, 2004

Re: HijackThis log look it over please

some how "roings search eng" got back into my system spysweeper found it but i like to double check on it if there no restilling .dll in there some place

Logfile of HijackThis v1.97.7
Scan saved at 4:46:20 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\GWHotKey.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Panicware\Pop-Up Stopper Professional\PopUpStopperProfessional.exe
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\All Users\Start Menu\Programs\The spykiller\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: 42 AC Plug.lnk = C:\Program Files\iOpus-AC-Plug\acplug.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 66.19.192.200 216.126.128.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 66.19.192.200 216.126.128.40

dvk01 · Jun 4, 2004

Re: HijackThis log look it over please

no obvious signs of problems

Read here https://www.wilderssecurity.com/showthread.php?t=27971 for info on how to tighten your security settings and how to help prevent future attacks.

& go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Chief ADFP · Jun 4, 2004

Re: HijackThis log look it over please

I ran Ad-aware 6.0 and it found all these goodies:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, June 04, 2004 5:11:37 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R314 02.06.2004

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : SOFTWARE\Apropos

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 1

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Warning!
Bad hosts file entry:127.0.0.1:hotsearchbox.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:hotsearchbox.com

Warning!
Bad hosts file entry:127.0.0.1:www.hotsearchbox.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.hotsearchbox.com

Warning!
Bad hosts file entry:127.0.0.1:searchxl.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchxl.com

Warning!
Bad hosts file entry:127.0.0.1:www.searchxl.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.searchxl.com

Warning!
Bad hosts file entry:127.0.0.1:i-lookup.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:i-lookup.com

Warning!
Bad hosts file entry:127.0.0.1:www.i-lookup.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.i-lookup.com

Warning!
Bad hosts file entry:127.0.0.1:hotwebsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:hotwebsearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.hotwebsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.hotwebsearch.com

Warning!
Bad hosts file entry:127.0.0.1:mysearchnow.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:mysearchnow.com

Warning!
Bad hosts file entry:127.0.0.1:www.mysearchnow.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.mysearchnow.com

Warning!
Bad hosts file entry:127.0.0.1:1-se.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:1-se.com

Warning!
Bad hosts file entry:127.0.0.1:aifind.info

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:aifind.info

Warning!
Bad hosts file entry:127.0.0.1:alfa-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:alfa-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.alfa-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.alfa-search.com

Warning!
Bad hosts file entry:127.0.0.1:allneedsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:allneedsearch.com

Warning!
Bad hosts file entry:127.0.0.1:approvedlinks.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:approvedlinks.com

Warning!
Bad hosts file entry:127.0.0.1:find-itnow.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:just.find-itnow.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:just.find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:www.find-itnow.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.find-itnow.com

Warning!
Bad hosts file entry:127.0.0.1:firstbookmark.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:firstbookmark.com

Warning!
Bad hosts file entry:127.0.0.1:www.firstbookmark.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.firstbookmark.com

Warning!
Bad hosts file entry:127.0.0.1:ie-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:ie-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.ie-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.ie-search.com

Warning!
Bad hosts file entry:127.0.0.1:lookfor.cc

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:lookfor.cc

Warning!
Bad hosts file entry:127.0.0.1:www.lookfor.cc

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.lookfor.cc

Warning!
Bad hosts file entry:127.0.0.1mega-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1mega-search.com

Warning!
Bad hosts file entry:127.0.0.1:www.omega-search.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.omega-search.com

Warning!
Bad hosts file entry:127.0.0.1ower-search.info

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1ower-search.info

Warning!
Bad hosts file entry:127.0.0.1:www.power-search.info

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.power-search.info

Warning!
Bad hosts file entry:127.0.0.1:rightfinder.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:rightfinder.net

Warning!
Bad hosts file entry:127.0.0.1:www.rightfinder.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.rightfinder.net

Warning!
Bad hosts file entry:127.0.0.1:search-dot.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:search-dot.com

Warning!
Bad hosts file entry:127.0.0.1:www.search-dot.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.search-dot.com

Warning!
Bad hosts file entry:127.0.0.1:super-spider.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:super-spider.com

Warning!
Bad hosts file entry:127.0.0.1:t.rack.cc

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:t.rack.cc

Warning!
Bad hosts file entry:127.0.0.1:webcoolsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:webcoolsearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.webcoolsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.webcoolsearch.com

Warning!
Bad hosts file entry:127.0.0.1:in.webcounter.cc

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:in.webcounter.cc

Warning!
Bad hosts file entry:127.0.0.1:www.windowws.cc

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.windowws.cc

Warning!
Bad hosts file entry:127.0.0.1:world-search.biz

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:world-search.biz

Warning!
Bad hosts file entry:127.0.0.1:xwebsearch.biz

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:xwebsearch.biz

Warning!
Bad hosts file entry:127.0.0.1:search-1.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:search-1.net

Warning!
Bad hosts file entry:127.0.0.1:searchmyrequest.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchmyrequest.com

Warning!
Bad hosts file entry:127.0.0.1:therealsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:therealsearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.therealsearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.therealsearch.com

Warning!
Bad hosts file entry:127.0.0.1:find4u.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:find4u.net

Warning!
Bad hosts file entry:127.0.0.1:www.find4u.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.find4u.net

Warning!
Bad hosts file entry:127.0.0.1:searchforge.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchforge.com

Warning!
Bad hosts file entry:127.0.0.1:www.searchforge.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.searchforge.com

Warning!
Bad hosts file entry:127.0.0.1:hugesearch.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:hugesearch.net

Warning!
Bad hosts file entry:127.0.0.1:www.hugesearch.net

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.hugesearch.net

Warning!
Bad hosts file entry:127.0.0.1:www.search-and-go.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.search-and-go.com

Warning!
Bad hosts file entry:127.0.0.1:008i.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:008i.com

Warning!
Bad hosts file entry:127.0.0.1:www.008i.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.008i.com

Warning!
Bad hosts file entry:127.0.0.1:searchv.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchv.com

Warning!
Bad hosts file entry:127.0.0.1:www.searchv.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.searchv.com

Warning!
Bad hosts file entry:127.0.0.1:websearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:websearch.com

Warning!
Bad hosts file entry:127.0.0.1:www.websearch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.websearch.com

Warning!
Bad hosts file entry:127.0.0.1:search.ieplugin.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:search.ieplugin.com

Warning!
Bad hosts file entry:127.0.0.1:startium.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:startium.com

Warning!
Bad hosts file entry:127.0.0.1:www.startium.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.startium.com

Warning!
Bad hosts file entry:127.0.0.1:searchbar.findthewebsiteyouneed.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchbar.findthewebsiteyouneed.com

Warning!
Bad hosts file entry:127.0.0.1:default-homepage-network.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:default-homepage-network.com

Warning!
Bad hosts file entry:127.0.0.1:www.default-homepage-network.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.default-homepage-network.com

Warning!
Bad hosts file entry:127.0.0.1:searchcentrix.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:searchcentrix.com

Warning!
Bad hosts file entry:127.0.0.1:www.searchcentrix.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.searchcentrix.com

Warning!
Bad hosts file entry:127.0.0.1:connect.online-dialer.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:connect.online-dialer.com

Warning!
Bad hosts file entry:127.0.0.1:0190-dialer.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:0190-dialer.com

Warning!
Bad hosts file entry:127.0.0.1:couldnotfind.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:couldnotfind.com

Warning!
Bad hosts file entry:127.0.0.1:www.couldnotfind.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.couldnotfind.com

Warning!
Bad hosts file entry:127.0.0.1:slotch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:slotch.com

Warning!
Bad hosts file entry:127.0.0.1:www.slotch.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:www.slotch.com

Warning!
Bad hosts file entry:127.0.0.1:install.xxxtoolbar.com

Redirected hostfile entry Object recognized!
Type : Hosts file
Data : 127.0.0.1
Category : Misc
Comment : Possible CoolWebSearch Hijack
Bad Hostfile entry : 127.0.0.1:install.xxxtoolbar.com

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
4336 entries scanned.
New objects :73
Objects found so far: 74

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

PeopleOnPage Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{A2872B10-39F2-42DF-9335-7DD38CF75255}

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 75

5:16:18 AM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:04:40:873
Objects scanned :62223
Objects identified :75
Objects ignored :0
New objects :75

Image of the report:
http://bb.domaindlx.com/ADFP/SS/ad-ware.jpg

cont:

Chief ADFP · Jun 4, 2004

Re: HijackThis log look it over please

Cont:
i had it do a scan again this time a deap scan found these items 3ea:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, June 04, 2004 1:08:00 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R314 02.06.2004

Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

BroadCastPC Object recognized!
Type : File
Data : ast_4_mm.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 148 KB
Created on : 4/23/2004 2:36:50 PM
Last accessed : 6/4/2004 5:25:38 PM
Last modified : 4/23/2004 3:04:52 PM

BroadCastPC Object recognized!
Type : File
Data : syswast.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileSize : 148 KB
Created on : 4/23/2004 3:05:40 PM
Last accessed : 6/4/2004 5:25:41 PM
Last modified : 4/23/2004 3:04:54 PM

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2

Deep scanning and examining files (H
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for H:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 2

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
4263 entries scanned.
New objects :0
Objects found so far: 2

Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

BroadCastPC Object recognized!
Type : File
Data : at.aut
Category : Data Miner
Comment :
Object : c:\windows\

Created on : 4/23/2004 3:06:04 PM
Last accessed : 6/4/2004 5:25:58 PM
Last modified : 4/23/2004 3:06:04 PM

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 3

1:25:59 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:17:58:91
Objects scanned :170539
Objects identified :3
Objects ignored :0
New objects :3

did not see it: HijackThis / Spybot - Search & Destroy / SpywareBlaster / Spy Sweeper (www.webroot.com).

Pieter_Arntz · Jun 5, 2004

Re: HijackThis log look it over please

Hi ChiefADFP,

Before you go paranoid on me, read up on what a hosts file does: http://accs-net.com/hosts/

Regards,

Pieter

Chief ADFP · Jun 11, 2004

Re: HijackThis log look it over please

Pieter_Arntz said:

Hi ChiefADFP,

Before you go paranoid on me, read up on what a hosts file does: http://accs-net.com/hosts/

Regards,

Pieter
Click to expand...

thanks for the info never know that before.

what you think be best for me i using Windows Xp pro SP1 (OEM) NTFS/Fat32

Pieter_Arntz · Jun 11, 2004

Re: HijackThis log look it over please

From the looks of it you already have a good hosts file.
If you use the computer only online for gaming as you stated, I see no reason to get an enormous one.

Regards,

Pieter

Pieter_Arntz · Jun 11, 2004

Re: HijackThis log look it over please

Hie Chief ADFP,

I moved your firewall question over here: https://www.wilderssecurity.com/showthread.php?t=35971

Regards,

Pieter

Chief ADFP · Jun 11, 2004

Re: HijackThis log look it over please

thank you

Chief ADFP · Jun 14, 2004

Re: HijackThis log look it over please

sorry for bothering you all but i things are not acting right at all.

Logfile of HijackThis v1.97.7
Scan saved at 6:45:08 AM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\The spykiller\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to Swatch.lnk = C:\Program Files\swatch internet time\Swatch.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254

Chief ADFP · Jun 22, 2004

could some one please look it over

Chief ADFP - I have merged your last posted hjt log into your current thread. Please do not start a new thread for the same computer - snap

think i am clean but like to double check it.

Logfile of HijackThis v1.97.7
Scan saved at 8:49:31 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\GWHotKey.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\PROGRA~1\Digimarc\IMAGEB~1\WMCache.exe
C:\Documents and Settings\All Users\Start Menu\Programs\The spykiller\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to Swatch.lnk = C:\Program Files\swatch internet time\Swatch.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1077594588642
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38040.1034837963
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254

Chief ADFP · Jun 22, 2004

Re: HijackThis log look it over please (merged)

don't know this for real or a fake report?
attachment: Delivery error report.dat file size: 315.kbVIRUS ALERT
Our content checker found
virus: Worm.SomeFool.Gen-2
in email presumably from you ~snipped out email addy~, to the following recipient:
-> sales@autotoyotaparts.com

Please check your system for viruses,
or ask your system administrator to do so.

Delivery of the email was stopped!

For your reference, here are headers from your email:
------------------------- BEGIN HEADERS -----------------------------
Return-Path: ~snipped out email addy~
Received: from autotoyotaparts.com (dialup-4.154.241.50.Dial1.Boston1.Level3.net [4.154.241.50])
by mail.autopartswebsolutions.net (Postfix) with SMTP id 0644E2742B7
for <sales@autotoyotaparts.com>; Mon, 21 Jun 2004 17:20:18 -0400 (EDT)
From: ~snipped out email addy~
To: sales@autotoyotaparts.com
Subject: information
Date: Mon, 21 Jun 2004 17:21:01 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="47126718"
Message-Id: <20040621212018.0644E2742B7@mail.autopartswebsolutions.net>
-------------------------- END HEADERS ------------------------------

--------------------------------------------------------------------------------

Received: from autotoyotaparts.com (dialup-4.154.241.50.Dial1.Boston1.Level3.net [4.154.241.50])
by mail.autopartswebsolutions.net (Postfix) with SMTP id 0644E2742B7
for <sales@autotoyotaparts.com>; Mon, 21 Jun 2004 17:20:18 -0400 (EDT)
From: ~snipped out email addy~
To: sales@autotoyotaparts.com
Subject: information
Date: Mon, 21 Jun 2004 17:21:01 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="47126718"
Message-Id: <20040621212018.0644E2742B7@mail.autopartswebsolutions.net>

Pieter_Arntz · Jun 22, 2004

Re: HijackThis log look it over please (merged)

I would edit the emailadresses out of that post before the harvesters get them.
This is exactly the way to increase the amount of that sort of mail.

You getting such a mail, does not mean you are infected, but someone with your email addres stored on his computer is infected.

Regards,

Pieter

Chief ADFP · Jul 20, 2004

Re: HijackThis log look it over please (merged)

I had some clair ad-ware in the system Spybot S&D did not see all of it, but Ad-ware 6.0 did see some of it, please let me know it all clear and good to go.

Logfile of HijackThis v1.98.0
Scan saved at 4:41:37 AM, on 7/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\WinTV\WinTV2K.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\The spykiller\HijackThis\HijackThis.exe

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WackGet Browser Helper Object - {248B131E-01EA-4587-8EFE-1D915E143D5E} - C:\Program Files\WackGet\WGDLL.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Digimarc ImageBridge reader BHO for IE - {6D6F1AF0-DDCB-477F-A896-5D75E53B80A3} - C:\Program Files\Digimarc\ImageBridgeReader\RM4IE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: WackGet it! - C:\Program Files\WackGet\wgbho.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254
O17 - HKLM\System\CS1\Services\Tcpip\..\{709D9B5E-E159-4081-A11E-E88A0CEB0CB4}: NameServer = 216.140.16.254 216.140.17.254

snapdragin · Jul 20, 2004

Re: HijackThis log look it over please (merged)

Hi Chief ADFP,

Your log looks clean.

There's a few things you can fix if you want.

In Hijackthis, place a check beside the following.
Make sure all browsers are closed, then click *Fix checked:

This one means you had a crash at some point, and Windows puts it in your startup. You can fix this one.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

This one is not needed at startup. http://www.windowsstartup.com/wso/detail.php?id=4062

O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

If you choose not to use it, or do not want to keep it, you can uninstall the PCDoctor through the Add/Remove Programs.

Regards,

snap

Log in or Sign up

[Solved] HijackThis log look it over please (merged)

Chief ADFP Registered Member

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

Chief ADFP Registered Member

Chief ADFP Registered Member

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

snapdragin Registered Member

Log in or Sign up

[Solved] HijackThis log look it over please (merged)

Chief ADFP Registered Member

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

Chief ADFP Registered Member

dvk01 Global Moderator

Chief ADFP Registered Member

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

Chief ADFP Registered Member

Chief ADFP Registered Member

Chief ADFP Registered Member

Pieter_Arntz Spyware Veteran

Chief ADFP Registered Member

snapdragin Registered Member

Useful Searches