Like the subject title, my home address in IE changes to http://fqirau.t.rack.cc/hp.php
how do i get rid of it?
how do i get rid of it?
Why does my home address in IE change to http://fqirau.t.rack.cc/%68%70%2E%70%68%70 ?
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
- Status
1 - 19 of 19 Posts
Joined
·
52,999 Posts
First Name -
Rob
Sounds like you have some spyware issues.
Please do the following:
To check for a virus please visit one of the following sites for a free online virus scan. Even if you a virus scanner installed, this one gives you a second opinion, and it will be up-to-date which yours might not be.
Symantec:
http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=TBOWYHGBYNCJEIMXQKC
Trend Micro:
http://housecall.trendmicro.com
If you do not currently have and antivirus program install you can try AVG from www.grisoft.com it is free.
In IE go to Tools -> Internet Options -> and delete Files and Cookies.
To check for and remove any Spyware or Adware that may be installed on your machine, download and install Adaware and Spybot. Then update each program before scanning. Fix ALL problems found by either of the programs. You may need to reboot and have the scan run at startup. Run it again to make sure all components have been removed. There is also an Immunize in feature in Spybot that should be enabled to protect against some installations of Adware/Spyware.
Ad-aware and Spybot:
http://spywareinfo.com/downloads.php?cat=sp#det
You should also download CWShredder and run that to fix any CWS infections:
http://www.spywareinfo.com/~merijn/downloads.html
If you have Kazaa, it has to go. Uninstall through ADD/REMOVE PROGRAMS in Control Panel then use Kazaa Begone to remove it completely. Kazaa is full of Spyware and spreads viruses. All file-sharing programs cause a multitude of problems and promote illegal sharing of information.
Kazaa Begone:
http://www.spywareinfo.com/~merijn/downloads.html
Then post a Hijack This Log to have someone analysis it for further cleaning/recommendations.
Hijack This:
http://www.spywareinfo.com/~merijn/downloads.html
Please do the following:
To check for a virus please visit one of the following sites for a free online virus scan. Even if you a virus scanner installed, this one gives you a second opinion, and it will be up-to-date which yours might not be.
Symantec:
http://security.symantec.com/sscv6/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=TBOWYHGBYNCJEIMXQKC
Trend Micro:
http://housecall.trendmicro.com
If you do not currently have and antivirus program install you can try AVG from www.grisoft.com it is free.
In IE go to Tools -> Internet Options -> and delete Files and Cookies.
To check for and remove any Spyware or Adware that may be installed on your machine, download and install Adaware and Spybot. Then update each program before scanning. Fix ALL problems found by either of the programs. You may need to reboot and have the scan run at startup. Run it again to make sure all components have been removed. There is also an Immunize in feature in Spybot that should be enabled to protect against some installations of Adware/Spyware.
Ad-aware and Spybot:
http://spywareinfo.com/downloads.php?cat=sp#det
You should also download CWShredder and run that to fix any CWS infections:
http://www.spywareinfo.com/~merijn/downloads.html
If you have Kazaa, it has to go. Uninstall through ADD/REMOVE PROGRAMS in Control Panel then use Kazaa Begone to remove it completely. Kazaa is full of Spyware and spreads viruses. All file-sharing programs cause a multitude of problems and promote illegal sharing of information.
Kazaa Begone:
http://www.spywareinfo.com/~merijn/downloads.html
Then post a Hijack This Log to have someone analysis it for further cleaning/recommendations.
Hijack This:
http://www.spywareinfo.com/~merijn/downloads.html
Joined
·
27,293 Posts
First Name -
Jim
Hello and welcome to TSG!
It looks like your homepage has been hijacked. To see what kind of nasties are lurking in your system, first download HijackThis run it and generate a log. Paste the log here so we can examine it. Do not attempt to fix anything just yet.
It looks like your homepage has been hijacked. To see what kind of nasties are lurking in your system, first download HijackThis run it and generate a log. Paste the log here so we can examine it. Do not attempt to fix anything just yet.
Joined
·
27,293 Posts
First Name -
Jim
Oops!
Looks like Triple6 beat me to the punch! Fair enough; you are in good hands!
Looks like Triple6 beat me to the punch! Fair enough; you are in good hands!
Hello to all, and thanks for helping me out thus far. I've never really used one of these sites before because I am stubborn, however, I will be using these sites from now on because I see that there are people that really do want to help each other out. I am currently downloading the programs and going to run the virus scan.
I have another problem, well my friend does and i hope someone can help me. I have previously posted about on their computer "grpconv has caused error in KBDAB.dll" should I have him download the same stuff you guys told me to do and perhaps he can be helped that way? Thanks for all the help thus far.
I have another problem, well my friend does and i hope someone can help me. I have previously posted about on their computer "grpconv has caused error in KBDAB.dll" should I have him download the same stuff you guys told me to do and perhaps he can be helped that way? Thanks for all the help thus far.
Joined
·
27,293 Posts
First Name -
Jim
Yes, running those apps can't hurt, and they may even reveal a problem and lead to a solution.
But to avoid any possible confusion it is best to start a new thread for a separate problem. That way, symptoms and possible fixes won't get mixed up.
But to avoid any possible confusion it is best to start a new thread for a separate problem. That way, symptoms and possible fixes won't get mixed up.
I ran the shredder, adaware, and i did not do the kazaabegone because of this:
There is a known issue with using this software in combination with obsolete versions of Lavasoft's popular AD-Aware utility. A known issue in some versions of AD-Aware results in improper removal of pests such as New.Net, CommonName, and WebHancer, resulting in lost Internet access. If LSP-Fix is used subsequently to repair these errors, the system may begin exhibiting crashes in MSAFD.DLL and/or RPCSS. This can be fixed by performing a "hard restore" of Windows' networking components. This involves uninstalling the "Communications" item in Windows setup, deleting the Winsock2 registry key, and reinstalling Communications. http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html explains this procedure in detail.
Now I use the latest version of Ad-Aware, cwshredder, virus scan, so can I go ahead and use the KazaaBEGONE?
I don't have the disks for my windows either, and that could be a problem with this:
http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html
Which it says to go by if you have to do what that warning thing was.
Here is the HiJackThis results, please help any way possible. Thanks:
Logfile of HijackThis v1.97.7
Scan saved at 7:57:54 PM, on 3/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\CDS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/035897.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} (plug Class) -
O16 - DPF: {3D36A2F9-2205-484b-87CA-2F090985C00E} (nsBrowserConfig Class 2) -
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {DC054EBF-3C6F-4d29-87AB-84344BD3DA2B} (Remote Loading Module) -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://tmaster.superb.net/tm2002oneclick/setup.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - http://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.6955208333
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf964fb802/netzip/RdxIE601.cab
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_offer_02/HDeskSetup_A.exe
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
There is a known issue with using this software in combination with obsolete versions of Lavasoft's popular AD-Aware utility. A known issue in some versions of AD-Aware results in improper removal of pests such as New.Net, CommonName, and WebHancer, resulting in lost Internet access. If LSP-Fix is used subsequently to repair these errors, the system may begin exhibiting crashes in MSAFD.DLL and/or RPCSS. This can be fixed by performing a "hard restore" of Windows' networking components. This involves uninstalling the "Communications" item in Windows setup, deleting the Winsock2 registry key, and reinstalling Communications. http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html explains this procedure in detail.
Now I use the latest version of Ad-Aware, cwshredder, virus scan, so can I go ahead and use the KazaaBEGONE?
I don't have the disks for my windows either, and that could be a problem with this:
http://support.earthlink.net/mu/1/psc/img/walkthroughs/windows_9x_nt/dialers/dun_1.3/5289.psc.html
Which it says to go by if you have to do what that warning thing was.
Here is the HiJackThis results, please help any way possible. Thanks:
Logfile of HijackThis v1.97.7
Scan saved at 7:57:54 PM, on 3/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\CDS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/035897.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} (plug Class) -
O16 - DPF: {3D36A2F9-2205-484b-87CA-2F090985C00E} (nsBrowserConfig Class 2) -
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {DC054EBF-3C6F-4d29-87AB-84344BD3DA2B} (Remote Loading Module) -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://tmaster.superb.net/tm2002oneclick/setup.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - http://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.6955208333
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf964fb802/netzip/RdxIE601.cab
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_offer_02/HDeskSetup_A.exe
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
Joined
·
46,025 Posts
Put checks in the following HijackThis Scan entries, close all browser windows and click "fix checked":
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gen...amp;nsv=5.1.0.4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/035897.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_of...DeskSetup_A.exe
>>> Reboot and go to Add/Remove programs and remove New.net if found there. If you have trouble with it see this link:
http://www.newdotnet.com/#remove
>>> Go to Start > Run and enter:
NSCheck /uninstall
>>> Reboot again.
Now UPDATE and run either Ad-Aware, Spybot or both following instructions here:
Spybot Instructions and Download
Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
Have them remove all suspicious files. Then Reboot again and post another Scanlog.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gen...amp;nsv=5.1.0.4
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/035897.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://207.246.124.105/cabs/ROOSTER3001/TPS108.cab
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.h-desk-soft.com/hdesk_of...DeskSetup_A.exe
>>> Reboot and go to Add/Remove programs and remove New.net if found there. If you have trouble with it see this link:
http://www.newdotnet.com/#remove
>>> Go to Start > Run and enter:
NSCheck /uninstall
>>> Reboot again.
Now UPDATE and run either Ad-Aware, Spybot or both following instructions here:
Spybot Instructions and Download
Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
Have them remove all suspicious files. Then Reboot again and post another Scanlog.
Joined
·
27,293 Posts
First Name -
Jim
Please have patience. Help here is on a volunteer basis and there isn't somebody on duty 24/7.
I am no HijackThis expert but you can go into control Panel > Add/Remove Programs and search for anything that looks suspicious or unfamiliar. Especially look for something called Newnet or Newdot. Remove them and reboot, then run HijackThis again and have it delete the following:
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
Have you run Spybot as Triple6 suggested? If not download it and make sure to update it. Run it and let it fix anything it lists in red. Reboot, RunHijackThis again and post a fresh log here.
I am no HijackThis expert but you can go into control Panel > Add/Remove Programs and search for anything that looks suspicious or unfamiliar. Especially look for something called Newnet or Newdot. Remove them and reboot, then run HijackThis again and have it delete the following:
O1 - Hosts: 64.4.43.7 www.hotmail.com
O1 - Hosts: 64.4.53.7 hotmail.com
O1 - Hosts: 205.188.160.121 aol.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://www.searchalot.com/search.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.searchalot.com
Have you run Spybot as Triple6 suggested? If not download it and make sure to update it. Run it and let it fix anything it lists in red. Reboot, RunHijackThis again and post a fresh log here.
Do not remove the following:
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
Do as Rollin' has suggested and then post another log
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
Do as Rollin' has suggested and then post another log
i've done everything else I was supposed to do thus far, and so far, so good. Ran Adaware and following the directions it says to post the log and wait until I make sure I know what I"m getting rid of. Thanks again and I'll check this in the afternoon!
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, March 29, 2004 2:20:23 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R276 27.03.2004
______________________________________________________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R276 27.03.2004
Internal build : 203
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 988898 Bytes
Signature data size : 971553 Bytes
Reference data size : 17281 Bytes
Signatures total : 21874
Target categories : 10
Target families : 468
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:58 %
Total physical memory:392700 kb
Available physical memory:170000 kb
Total page file size:1704448 kb
Available on page file:1555000 kb
Total virtual memory:2093056 kb
Available virtual memory:2042944 kb
OS:Windows (ME)
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result
3-29-2004 2:20:23 AM - Scan started. (Custom mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4287606451
Threads : 9
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:17 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966103
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:3 [msgloop.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294843203
Threads : 1
Priority : Normal
FileSize : 5 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright (c) Rockwell Corporation 1996-1998.
CompanyName : Rockwell Corporation
FileDescription : Rockwell WaveStream Message Server
InternalName : MSGLOOP.EXE
OriginalFilename : MSGLOOP.EXE
ProductName : WaveStream\Endless Wave
Created on : 1/1/1601
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/24/1999 11:35:36 PM
#:4 [msg32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864135
Threads : 1
Priority : Realtime
FileSize : 16 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright
CompanyName : Rockwell Corporation
FileDescription : Rockwell WaveStream Message Server
InternalName : MSGLOOP.EXE
OriginalFilename : MSGLOOP.EXE
ProductName : WaveStream\Endless Wave
Created on : 1/1/1601
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/24/1999 11:39:04 PM
#:5 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864395
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 12/27/2000 12:26:21 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:6 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294868607
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:7 [aolfix.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294873887
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Co.
FileDescription : Repairs power management configuration
InternalName : Jvprjsxfcs
OriginalFilename : AolFix.exe
ProductName : Hewlett-Packard AolFix Application
Created on : 1/11/2000 1:24:34 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/11/2000 1:24:34 AM
#:8 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294898051
Threads : 3
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:9 [avsynmgr.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294881159
Threads : 4
Priority : Normal
FileSize : 152 KB
Copyright : gin
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294784999
Threads : 18
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/27/2000 12:23:42 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:11 [hidserv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294800495
Threads : 1
Priority : Normal
FileSize : 25 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
OriginalFilename : HIDSERV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:22:30 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:12 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294894095
Threads : 2
Priority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 12/12/2003 3:19:49 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 12/12/2003 3:19:50 AM
#:13 [vsstat.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294724079
Threads : 2
Priority : Normal
FileSize : 96 KB
Copyright : Cop
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:14 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294752567
Threads : 3
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 3/19/2004 1:47:54 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/3/2000 10:23:10 PM
#:15 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294745367
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:16 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294766283
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:17 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294885987
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:18 [hpsysdrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294758943
Threads : 1
Priority : Normal
FileSize : 51 KB
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
OriginalFilename : hpsysdrv.exe
ProductName : hpsysdrv
Created on : 3/9/2000 1:53:18 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/7/1998 2:04:38 PM
#:19 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294679687
Threads : 25
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 1/17/2002 5:20:28 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/17/2002 5:20:28 AM
#:20 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294660431
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:26:00 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:21 [rundll32.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294582783
Threads : 2
Priority : Normal
FileSize : 24 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-1998
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:57 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:22 [avconsol.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294678319
Threads : 2
Priority : Normal
FileSize : 160 KB
Copyright : <?1
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:23 [vshwin32.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294646683
Threads : 6
Priority : Normal
FileSize : 116 KB
Copyright : ¼>1
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:24 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294463371
Threads : 3
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 12/27/2000 12:26:00 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:25 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294710955
Threads : 2
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:26 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294456695
Threads : 3
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:57 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:27 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294456935
Threads : 5
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:28 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294422851
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/29/2004 12:21:38 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM
#:29 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294482027
Threads : 5
Priority : Normal
FileSize : 27 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigUrlmarketscore.com
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value : AutoConfigUrl
Data : "http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4"
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1
Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
TPS108 Object recognized!
Type : File
Data : tps108.html
Category : Data Miner
Comment :
Object : C:\
Dialer Object recognized!
Type : File
Data : nsupd9x.inf
Category : Malware
Comment : Proclaim Telcom
Object : C:\WINDOWS\INF\
Created on : 8/22/2000 5:18:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/22/2000 5:18:22 PM
TPS108 Object recognized!
Type : File
Data : tps108.inf
Category : Data Miner
Comment :
Object : C:\WINDOWS\INF\
Created on : 2/22/2002 8:34:40 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/22/2002 8:34:40 PM
ToolbarCC Object recognized!
Type : File
Data : winpkpk.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 9 KB
Created on : 7/18/2003 3:33:43 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/18/2003 3:33:44 PM
ToolbarCC Object recognized!
Type : File
Data : winlobe.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 10 KB
Created on : 7/21/2003 4:03:54 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/21/2003 4:03:56 PM
VX2.BetterInternet Object recognized!
Type : File
Data : belt.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 80 KB
FileVersion : 0, 1, 1, 3
ProductVersion : 0, 1, 1, 3
Copyright : Copyright
CompanyName : Better Internet Inc.
FileDescription : www.abetterinternet.com
Created on : 2/16/2004 4:02:32 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/15/2003 9:18:20 PM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 12:54:05 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 12:54:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 12:50:22 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 12:50:24 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:03:48 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:03:50 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:03:47 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:03:48 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected]ox[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
FileSize : 2 KB
Created on : 3/29/2004 5:17:04 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:14:37 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:14:38 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:17:04 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:17:02 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:04 AM
WildTangent Object recognized!
Type : File
Data : wtcpl.cpl
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM\
FileSize : 44 KB
FileVersion : 1.6.1.2
ProductVersion : 1.6.1.2
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wtcpl
InternalName : wtcpl
OriginalFilename : wtcpl.cpl
ProductName : Wild Tangent wtcpl
Created on : 12/1/2003 6:28:14 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/23/2003 11:48:48 PM
Dialer Object recognized!
Type : File
Data : nsupd9x.inf
Category : Malware
Comment : Proclaim Telcom
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 8/22/2000 5:18:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/22/2000 5:18:22 PM
NiteLine Media Object recognized!
Type : File
Data : dialer.inf
Category : Vulnerability
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 11/15/2001 2:26:20 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/15/2001 2:26:20 PM
EGroup Dialer Object recognized!
Type : File
Data : ieaccess2.inf
Category : Malware
Comment : IEAccess (eGroup)
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 10/8/2002 3:07:36 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 10/8/2002 3:07:36 PM
Lop.com Object recognized!
Type : File
Data : mp3.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
FileSize : 73 KB
Created on : 9/16/2002 4:13:34 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/16/2002 4:13:48 AM
Dialer Object recognized!
Type : File
Data : installer.inf
Category : Malware
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 1/20/2003 8:52:38 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/20/2003 8:52:38 PM
TPS108 Object recognized!
Type : File
Data : preinsttps108.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 32 KB
Created on : 2/22/2002 8:34:38 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/22/2002 8:34:38 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall4_80.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 51 KB
Created on : 2/14/2003 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/14/2003 12:25:56 AM
New.Net Object recognized!
Type : File
Data : ndnuninstall4_88.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 43 KB
Created on : 5/25/2003 10:27:24 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/25/2003 10:27:26 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_40.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 9/18/2003 4:12:15 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/18/2003 4:12:16 AM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_20.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 44 KB
Created on : 8/4/2003 6:41:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/4/2003 6:41:24 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_48.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 11/15/2003 10:34:07 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/15/2003 10:34:08 PM
PromulGate Object recognized!
Type : File
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 11/6/2003 9:53:44 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/6/2003 9:50:04 PM
SecretCrush Object recognized!
Type : File
Data : restart.exe
Category : Malware
Comment :
Object : C:\Program Files\Logitech\Desktop Messenger\8876480\6.1.0.155-8876480L\Program\
FileSize : 16 KB
Created on : 4/24/2002 11:31:30 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 4/24/2002 11:31:32 PM
New.Net Object recognized!
Type : Folder
Category : Misc
Comment :
Object : C:\Program Files\FirstLook
eUniverse Object recognized!
Type : File
Data : incfindbho.dll
Category : Data Miner
Comment :
Object : C:\Program Files\IncrediFind\BHO\
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003
FileDescription : BHO Module
InternalName : BHO
OriginalFilename : BHO.DLL
ProductName : BHO Module
Created on : 10/16/2003 5:49:20 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 10/16/2003 5:49:20 PM
Cydoor Object recognized!
Type : File
Data : cd_install_336.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Blubster\
FileSize : 281 KB
ProductVersion : Morpheus
ProductName : Morpheus
Created on : 2/23/2004 6:07:40 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/21/2003 8:37:58 AM
TopMoxie Object recognized!
Type : File
Data : blubstersupport.exe
Category : Data Miner
Comment :
Object : C:\Program Files\BlubsterSupport\
FileSize : 44 KB
Created on : 9/15/2003 10:38:30 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/15/2003 10:38:30 PM
TopMoxie Object recognized!
Type : File
Data : blubstersupport1.exe
Category : Data Miner
Comment :
Object : C:\Program Files\BlubsterSupport\
FileSize : 24 KB
Created on : 1/25/2004 12:30:40 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/25/2004 12:30:42 AM
Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 34
Possible Browser Hijack attempt Object recognized!
Type : File
Data : billboard.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://billboard.com/bb/charts/hot100.jsp
Object : C:\WINDOWS\Favorites\
Created on : 7/12/2003 5:18:45 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/12/2003 5:18:44 PM
Possible Browser Hijack attempt Object recognized!
Type : File
Data : search the web.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.sureseeker.com/
Object : C:\WINDOWS\Favorites\Links\
Created on : 7/31/2001 4:22:22 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/31/2001 4:22:24 AM
Possible Browser Hijack attempt Object recognized!
Type : File
Data : search.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.searchalot.com/
Object : C:\WINDOWS\Favorites\Links\
Created on : 11/19/2002 10:18:24 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/19/2002 10:18:26 PM
Scanning Hosts file(C:\WINDOWS\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0 entries scanned.
New objects :0
Objects found so far: 37
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
ToolbarCC Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .default\SOFTWARE\Microsoft\Internet Explorer\Registration
Value : Delta
ToolbarCC Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Registration
Value : Delta
PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 40
2:35:42 AM Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:15:19:10
Objects scanned :177526
Objects identified :40
Objects ignored :0
New objects :40
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Monday, March 29, 2004 2:20:23 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R276 27.03.2004
______________________________________________________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R276 27.03.2004
Internal build : 203
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 988898 Bytes
Signature data size : 971553 Bytes
Reference data size : 17281 Bytes
Signatures total : 21874
Target categories : 10
Target families : 468
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:58 %
Total physical memory:392700 kb
Available physical memory:170000 kb
Total page file size:1704448 kb
Available on page file:1555000 kb
Total virtual memory:2093056 kb
Available virtual memory:2042944 kb
OS:Windows (ME)
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result
3-29-2004 2:20:23 AM - Scan started. (Custom mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4287606451
Threads : 9
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:17 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966103
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:3 [msgloop.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294843203
Threads : 1
Priority : Normal
FileSize : 5 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright (c) Rockwell Corporation 1996-1998.
CompanyName : Rockwell Corporation
FileDescription : Rockwell WaveStream Message Server
InternalName : MSGLOOP.EXE
OriginalFilename : MSGLOOP.EXE
ProductName : WaveStream\Endless Wave
Created on : 1/1/1601
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/24/1999 11:35:36 PM
#:4 [msg32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864135
Threads : 1
Priority : Realtime
FileSize : 16 KB
FileVersion : 4.05.00.2112
ProductVersion : 4.05.00.2112
Copyright : Copyright
CompanyName : Rockwell Corporation
FileDescription : Rockwell WaveStream Message Server
InternalName : MSGLOOP.EXE
OriginalFilename : MSGLOOP.EXE
ProductName : WaveStream\Endless Wave
Created on : 1/1/1601
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/24/1999 11:39:04 PM
#:5 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864395
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 12/27/2000 12:26:21 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:6 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294868607
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:7 [aolfix.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294873887
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Co.
FileDescription : Repairs power management configuration
InternalName : Jvprjsxfcs
OriginalFilename : AolFix.exe
ProductName : Hewlett-Packard AolFix Application
Created on : 1/11/2000 1:24:34 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/11/2000 1:24:34 AM
#:8 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294898051
Threads : 3
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 12/27/2000 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:9 [avsynmgr.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294881159
Threads : 4
Priority : Normal
FileSize : 152 KB
Copyright : gin
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294784999
Threads : 18
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 12/27/2000 12:23:42 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:11 [hidserv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294800495
Threads : 1
Priority : Normal
FileSize : 25 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : HID Audio Service
InternalName : hidserv
OriginalFilename : HIDSERV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:22:30 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:12 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294894095
Threads : 2
Priority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 12/12/2003 3:19:49 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 12/12/2003 3:19:50 AM
#:13 [vsstat.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294724079
Threads : 2
Priority : Normal
FileSize : 96 KB
Copyright : Cop
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:14 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294752567
Threads : 3
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 3/19/2004 1:47:54 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/3/2000 10:23:10 PM
#:15 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294745367
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:16 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294766283
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:17 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294885987
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:18 [hpsysdrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294758943
Threads : 1
Priority : Normal
FileSize : 51 KB
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
OriginalFilename : hpsysdrv.exe
ProductName : hpsysdrv
Created on : 3/9/2000 1:53:18 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/7/1998 2:04:38 PM
#:19 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294679687
Threads : 25
Priority : Realtime
FileSize : 31 KB
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 1/17/2002 5:20:28 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/17/2002 5:20:28 AM
#:20 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294660431
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:26:00 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:21 [rundll32.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294582783
Threads : 2
Priority : Normal
FileSize : 24 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-1998
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
OriginalFilename : RUNDLL.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:57 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:22 [avconsol.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294678319
Threads : 2
Priority : Normal
FileSize : 160 KB
Copyright : <?1
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:23 [vshwin32.exe]
FilePath : C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\
ProcessID : 4294646683
Threads : 6
Priority : Normal
FileSize : 116 KB
Copyright : ¼>1
Created on : 11/26/2001 9:51:00 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/26/2001 9:51:00 PM
#:24 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294463371
Threads : 3
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 12/27/2000 12:26:00 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:25 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294710955
Threads : 2
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:26 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294456695
Threads : 3
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:57 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:27 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294456935
Threads : 5
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
#:28 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294422851
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/29/2004 12:21:38 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM
#:29 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294482027
Threads : 5
Priority : Normal
FileSize : 27 KB
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 12/27/2000 12:25:58 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigUrlmarketscore.com
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4"
Category : Data Miner
Comment : Possible browser hijack attempt
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings
Value : AutoConfigUrl
Data : "http://proxycfg.marketscore.com/gencfg.asp?id1=MNxxtm7GNh6&id2=U1d0btwUq5f&lp=1&nsv=5.1.0.4"
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1
Deep scanning and examining files (C
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
TPS108 Object recognized!
Type : File
Data : tps108.html
Category : Data Miner
Comment :
Object : C:\
Dialer Object recognized!
Type : File
Data : nsupd9x.inf
Category : Malware
Comment : Proclaim Telcom
Object : C:\WINDOWS\INF\
Created on : 8/22/2000 5:18:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/22/2000 5:18:22 PM
TPS108 Object recognized!
Type : File
Data : tps108.inf
Category : Data Miner
Comment :
Object : C:\WINDOWS\INF\
Created on : 2/22/2002 8:34:40 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/22/2002 8:34:40 PM
ToolbarCC Object recognized!
Type : File
Data : winpkpk.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 9 KB
Created on : 7/18/2003 3:33:43 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/18/2003 3:33:44 PM
ToolbarCC Object recognized!
Type : File
Data : winlobe.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 10 KB
Created on : 7/21/2003 4:03:54 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/21/2003 4:03:56 PM
VX2.BetterInternet Object recognized!
Type : File
Data : belt.exe
Category : Data Miner
Comment :
Object : C:\WINDOWS\TEMP\
FileSize : 80 KB
FileVersion : 0, 1, 1, 3
ProductVersion : 0, 1, 1, 3
Copyright : Copyright
CompanyName : Better Internet Inc.
FileDescription : www.abetterinternet.com
Created on : 2/16/2004 4:02:32 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/15/2003 9:18:20 PM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 12:54:05 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 12:54:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 12:50:22 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 12:50:24 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:03:48 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:03:50 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:03:47 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:03:48 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected]ox[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
FileSize : 2 KB
Created on : 3/29/2004 5:17:04 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:14:37 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:14:38 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:17:04 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:06 AM
Tracking Cookie Object recognized!
Type : File
Data : randy [email protected][1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\
Created on : 3/29/2004 5:17:02 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 3/29/2004 5:17:04 AM
WildTangent Object recognized!
Type : File
Data : wtcpl.cpl
Category : Data Miner
Comment :
Object : C:\WINDOWS\SYSTEM\
FileSize : 44 KB
FileVersion : 1.6.1.2
ProductVersion : 1.6.1.2
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wtcpl
InternalName : wtcpl
OriginalFilename : wtcpl.cpl
ProductName : Wild Tangent wtcpl
Created on : 12/1/2003 6:28:14 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/23/2003 11:48:48 PM
Dialer Object recognized!
Type : File
Data : nsupd9x.inf
Category : Malware
Comment : Proclaim Telcom
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 8/22/2000 5:18:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/22/2000 5:18:22 PM
NiteLine Media Object recognized!
Type : File
Data : dialer.inf
Category : Vulnerability
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 11/15/2001 2:26:20 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/15/2001 2:26:20 PM
EGroup Dialer Object recognized!
Type : File
Data : ieaccess2.inf
Category : Malware
Comment : IEAccess (eGroup)
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 10/8/2002 3:07:36 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 10/8/2002 3:07:36 PM
Lop.com Object recognized!
Type : File
Data : mp3.exe
Category : Malware
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
FileSize : 73 KB
Created on : 9/16/2002 4:13:34 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/16/2002 4:13:48 AM
Dialer Object recognized!
Type : File
Data : installer.inf
Category : Malware
Comment :
Object : C:\WINDOWS\Downloaded Program Files\
Created on : 1/20/2003 8:52:38 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/20/2003 8:52:38 PM
TPS108 Object recognized!
Type : File
Data : preinsttps108.exe
Category : Malware
Comment :
Object : C:\WINDOWS\
FileSize : 32 KB
Created on : 2/22/2002 8:34:38 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/22/2002 8:34:38 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall4_80.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 51 KB
Created on : 2/14/2003 12:25:55 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 2/14/2003 12:25:56 AM
New.Net Object recognized!
Type : File
Data : ndnuninstall4_88.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 43 KB
Created on : 5/25/2003 10:27:24 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/25/2003 10:27:26 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_40.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 9/18/2003 4:12:15 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/18/2003 4:12:16 AM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_20.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 44 KB
Created on : 8/4/2003 6:41:22 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 8/4/2003 6:41:24 PM
New.Net Object recognized!
Type : File
Data : ndnuninstall5_48.exe
Category : Misc
Comment :
Object : C:\WINDOWS\
FileSize : 48 KB
Created on : 11/15/2003 10:34:07 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/15/2003 10:34:08 PM
PromulGate Object recognized!
Type : File
Data : dpi.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Common Files\Dpi\
FileSize : 92 KB
Created on : 11/6/2003 9:53:44 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/6/2003 9:50:04 PM
SecretCrush Object recognized!
Type : File
Data : restart.exe
Category : Malware
Comment :
Object : C:\Program Files\Logitech\Desktop Messenger\8876480\6.1.0.155-8876480L\Program\
FileSize : 16 KB
Created on : 4/24/2002 11:31:30 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 4/24/2002 11:31:32 PM
New.Net Object recognized!
Type : Folder
Category : Misc
Comment :
Object : C:\Program Files\FirstLook
eUniverse Object recognized!
Type : File
Data : incfindbho.dll
Category : Data Miner
Comment :
Object : C:\Program Files\IncrediFind\BHO\
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright 2003
FileDescription : BHO Module
InternalName : BHO
OriginalFilename : BHO.DLL
ProductName : BHO Module
Created on : 10/16/2003 5:49:20 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 10/16/2003 5:49:20 PM
Cydoor Object recognized!
Type : File
Data : cd_install_336.exe
Category : Data Miner
Comment :
Object : C:\Program Files\Blubster\
FileSize : 281 KB
ProductVersion : Morpheus
ProductName : Morpheus
Created on : 2/23/2004 6:07:40 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 5/21/2003 8:37:58 AM
TopMoxie Object recognized!
Type : File
Data : blubstersupport.exe
Category : Data Miner
Comment :
Object : C:\Program Files\BlubsterSupport\
FileSize : 44 KB
Created on : 9/15/2003 10:38:30 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 9/15/2003 10:38:30 PM
TopMoxie Object recognized!
Type : File
Data : blubstersupport1.exe
Category : Data Miner
Comment :
Object : C:\Program Files\BlubsterSupport\
FileSize : 24 KB
Created on : 1/25/2004 12:30:40 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 1/25/2004 12:30:42 AM
Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 34
Possible Browser Hijack attempt Object recognized!
Type : File
Data : billboard.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://billboard.com/bb/charts/hot100.jsp
Object : C:\WINDOWS\Favorites\
Created on : 7/12/2003 5:18:45 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/12/2003 5:18:44 PM
Possible Browser Hijack attempt Object recognized!
Type : File
Data : search the web.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.sureseeker.com/
Object : C:\WINDOWS\Favorites\Links\
Created on : 7/31/2001 4:22:22 AM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 7/31/2001 4:22:24 AM
Possible Browser Hijack attempt Object recognized!
Type : File
Data : search.url
Category : Misc
Comment : Item referrs to blacklisted Site: http://www.searchalot.com/
Object : C:\WINDOWS\Favorites\Links\
Created on : 11/19/2002 10:18:24 PM
Last accessed : 3/29/2004 5:00:00 AM
Last modified : 11/19/2002 10:18:26 PM
Scanning Hosts file(C:\WINDOWS\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
0 entries scanned.
New objects :0
Objects found so far: 37
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
ToolbarCC Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_USERS
Object : .default\SOFTWARE\Microsoft\Internet Explorer\Registration
Value : Delta
ToolbarCC Object recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Registration
Value : Delta
PromulGate Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Dpi
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 40
2:35:42 AM Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:15:19:10
Objects scanned :177526
Objects identified :40
Objects ignored :0
New objects :40
Joined
·
46,025 Posts
When running the command: nscheck /uninstall
did you receive any error message? Did you reboot after that?
Post another Scanlog when done with Ad-Aware, I'm not sure if it removes markeyproxy successfully and I'm still seeing it in your IP info >>
The host name is: proxys.or3.marketscore.com
Also open Internet Options > Connections > Settings. Make sure "use automatic configuration script" is NOT checked. And "use proxy" is NOT checked.
did you receive any error message? Did you reboot after that?
Post another Scanlog when done with Ad-Aware, I'm not sure if it removes markeyproxy successfully and I'm still seeing it in your IP info >>
The host name is: proxys.or3.marketscore.com
Also open Internet Options > Connections > Settings. Make sure "use automatic configuration script" is NOT checked. And "use proxy" is NOT checked.
All right everyone.......Ran Ad-aware and got rid of the stuff there. Then I ran nscheck / uninstall and message: Windows cannot find 'nscheck'. You may have yped the name incorrectly in the run dialog, or another open program cannot find a system file. Then I rebooted
Logfile of HijackThis v1.97.7
Scan saved at 6:19:33 PM, on 3/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\CDS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} (plug Class) -
O16 - DPF: {3D36A2F9-2205-484b-87CA-2F090985C00E} (nsBrowserConfig Class 2) -
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {DC054EBF-3C6F-4d29-87AB-84344BD3DA2B} (Remote Loading Module) -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://tmaster.superb.net/tm2002oneclick/setup.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - http://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.6955208333
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf964fb802/netzip/RdxIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
Logfile of HijackThis v1.97.7
Scan saved at 6:19:33 PM, on 3/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\CDS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Blubster Support - file://C:\Program Files\BlubsterSupport\System\Temp\blubstershop_script0.htm
O9 - Extra button: Guide (HKLM)
O9 - Extra button: PeoplePC (HKLM)
O9 - Extra button: Wallet (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} (plug Class) -
O16 - DPF: {3D36A2F9-2205-484b-87CA-2F090985C00E} (nsBrowserConfig Class 2) -
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) -
O16 - DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} (Macromedia Flash Factory Object) -
O16 - DPF: {DC054EBF-3C6F-4d29-87AB-84344BD3DA2B} (Remote Loading Module) -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://tmaster.superb.net/tm2002oneclick/setup.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {4AD7DA15-AB2F-4C91-BEF5-3876DA4A2CCC} - http://www.cambridgesoft.com/plugins/activex/install/NetInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.6955208333
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf964fb802/netzip/RdxIE601.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
Joined
·
46,025 Posts
Well the good news is the Scanlog appears normal and by one means or another the MarketScore hijack is history: your proper ISP host is now being displayed:
The host name is: dialup-67.72.221.148.Dial1.Detroit1.Level3.net
The host name is: dialup-67.72.221.148.Dial1.Detroit1.Level3.net
Joined
·
46,025 Posts
On behalf of the team effort here -- you're most welcome.
Joined
·
46,465 Posts
You still have a few left that need to go.
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf96...ip/RdxIE601.cab
Restart your computer.
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12189c7bbfbf96...ip/RdxIE601.cab
Restart your computer.
1 - 19 of 19 Posts
- Status
Join the discussion
