HijackThis report (& Adware quarantine) - Gladiator Security Forum

Welcome Guest ( Log In | Register )

Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?

Forum Rules

Greetings,

Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum

Failure to follow these instructions will only result in delays of the cleaning and removal process.

If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.

Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.

Thank You

HijackThis report (& Adware quarantine)

Options

Lotus View Member Profile	Apr 20 2005, 10:54 PM Post #1
New Member Group: Member Posts: 4 Joined: 20-April 05 Member No.: 14670	Hello! I have run the HijackThis and Ad-Aware SE programs and have pasted the logs below. I hope you are able to help, the pop-up things are driving me insane!! Also, I have another problem, I cannot restore my system (using system restore tool in XP). It runs through the process, asking me to choose a date etc and then re-boots but shows a message saying 'cannot restore system to date specified' or similar message. Not sure if this is linked to current pop-up/spyware problems or something else I should be looking at. Many thanks for any help, Kate :-) Logfile of HijackThis v1.99.1 Scan saved at 23:28:30, on 20/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\WINDOWS\system32\capesnpn.exe C:\PROGRA~1\INTRIG~1\pcbodyguard.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\batmeter.exe C:\WINDOWS\system32\nsvsvc\nsvsvc.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\Eraser\eraser.exe C:\Program Files\CConnect\CConnect.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Documents and Settings\Adam Robertson\My Documents\Coco Kate\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file) O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\4.bin\MYBAR.DLL O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [dd268fc6d452] C:\WINDOWS\system32\capesnpn.exe O4 - HKLM\..\Run: [WebCpr0] C:\Program Files\Web_Cpr\WebCpr0.exe O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [PCBG] C:\PROGRA~1\INTRIG~1\pcbodyguard.exe /start O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [d3e94e685ac2] C:\WINDOWS\system32\batmeter.exe O4 - HKLM\..\Run: [BTV] c:\Program Files\BTV\btv.exe O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/zuma/popcaploader_v5.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Ad-Aware Quarantine ArchiveData(auto-quarantine- 2005-04-20 23-23-57.bckp) Referencefile : SE1R39 15.04.2005 ====================================================== SYSWEB-TELECOM DIALER »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[0]=Regkey : S-1-5-21-2136417557-1733290971-125703898-1005\\software\syswebtelecom obj[1]=Regkey : S-1-5-21-2136417557-1733290971-125703898-1005\software\syswebtelecom obj[146]=Regkey : syswebtelecom.syswebtelecom obj[147]=RegValue : syswebtelecom.syswebtelecom "" SOFTOMATE TOOLBAR »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[2]=Regkey : S-1-5-21-2136417557-1733290971-125703898-1005\software\softomate obj[5]=RegValue : S-1-5-21-2136417557-1733290971-125703898-1005\software\microsoft\internet explorer\toolbar\webbrowser "{952EC978-4920-4F18-8237-91D69B54C580}" obj[49]=RegValue : software\microsoft\internet explorer\toolbar "{952EC978-4920-4F18-8237-91D69B54C580}" obj[53]=RegValue : software\microsoft\internet explorer\explorer bars "{D6CA5D91-5EA2-4654-9B75-499267012611}" obj[69]=Regkey : software\classes\typelib\{c03ec1bf-654e-4b01-bd4e-0902ad31f8c6} obj[71]=Regkey : software\classes\mytoolbar.tbar obj[72]=Regkey : software\classes\mytoolbar.tbar.1 obj[73]=RegValue : software\classes\mytoolbar.tbar.1 "" obj[74]=RegValue : software\classes\mytoolbar.tbar "" obj[75]=Regkey : software\classes\mytoolbar.bandsidepanel obj[76]=Regkey : software\classes\mytoolbar.bandsidepanel.1 obj[77]=RegValue : software\classes\mytoolbar.bandsidepanel.1 "" obj[78]=RegValue : software\classes\mytoolbar.bandsidepanel "" obj[79]=Regkey : software\classes\interface\{92b1c4ac-39a6-469c-a1e4-bd3ddc6f8425} obj[80]=RegValue : software\classes\interface\{92b1c4ac-39a6-469c-a1e4-bd3ddc6f8425} "" obj[81]=Regkey : software\classes\interface\{43e7f027-c2d6-41b3-a5de-261e0e42211c} obj[82]=RegValue : software\classes\interface\{43e7f027-c2d6-41b3-a5de-261e0e42211c} "" obj[87]=Regkey : software\classes\clsid\{d6ca5d91-5ea2-4654-9b75-499267012611} obj[88]=RegValue : software\classes\clsid\{d6ca5d91-5ea2-4654-9b75-499267012611} "" obj[93]=Regkey : software\classes\clsid\{952ec978-4920-4f18-8237-91d69b54c580} obj[94]=RegValue : software\classes\clsid\{952ec978-4920-4f18-8237-91d69b54c580} "" obj[137]=Regkey : TYPELIB\{C03EC1BF-654E-4B01-BD4E-0902AD31F8C6} obj[155]=Regkey : MyToolBar.TBar obj[156]=Regkey : MyToolBar.TBar.1 obj[157]=RegValue : MyToolBar.TBar.1 "" obj[158]=RegValue : MyToolBar.TBar "" obj[159]=Regkey : MyToolBar.BandSidePanel obj[160]=Regkey : MyToolBar.BandSidePanel.1 obj[161]=RegValue : MyToolBar.BandSidePanel.1 "" obj[162]=RegValue : MyToolBar.BandSidePanel "" obj[194]=Regkey : CLSID\{D6CA5D91-5EA2-4654-9B75-499267012611} obj[195]=RegValue : CLSID\{D6CA5D91-5EA2-4654-9B75-499267012611} "" obj[198]=Regkey : CLSID\{952EC978-4920-4F18-8237-91D69B54C580} obj[199]=RegValue : CLSID\{952EC978-4920-4F18-8237-91D69B54C580} "" obj[240]=Folder : C:\Program Files\SearchLocate obj[409]=File : c:\program files\searchlocate\sidebar.dll 180SOLUTIONS »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[3]=RegValue : S-1-5-21-2136417557-1733290971-125703898-1005\software\salm "Retry" obj[15]=Regkey : software\salm obj[16]=RegValue : software\salm "product_id" obj[17]=RegValue : software\salm "partner_id" obj[18]=RegValue : software\salm "duid" obj[19]=RegValue : software\salm "did" obj[41]=RegValue : software\microsoft\windows\currentversion\run "salm" obj[109]=Regkey : software\salm obj[110]=RegValue : software\salm "we" obj[111]=RegValue : software\salm "Retry" obj[112]=RegValue : software\salm "last_conn_l" obj[113]=RegValue : software\salm "last_conn_h" obj[260]=File : C:\WINDOWS\didduid.ini DYFUCA »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[4]=Regkey : S-1-5-21-2136417557-1733290971-125703898-1005\software\policies\avenue media obj[20]=Regkey : software\policies\avenue media obj[37]=Regkey : software\microsoft\windows\currentversion\uninstall\kapabout obj[38]=RegValue : software\microsoft\windows\currentversion\uninstall\kapabout "DComment" obj[39]=RegValue : software\microsoft\windows\currentversion\uninstall\kapabout "Comment" obj[114]=Regkey : software\microsoft\windows\currentversion\policies\ameopt TOPMOXIE »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[6]=Regkey : S-1-5-21-2136417557-1733290971-125703898-1005\software\microsoft\internet explorer\menuext\web rebates obj[7]=RegValue : S-1-5-21-2136417557-1733290971-125703898-1005\software\microsoft\internet explorer\menuext\web rebates "Contexts" obj[8]=RegValue : S-1-5-21-2136417557-1733290971-125703898-1005\software\microsoft\internet explorer\menuext\web rebates "" obj[24]=Regkey : software\microsoft\windows\currentversion\uninstall\unwcpr2000 obj[25]=RegValue : software\microsoft\windows\currentversion\uninstall\unwcpr2000 "UninstallString" obj[26]=RegValue : software\microsoft\windows\currentversion\uninstall\unwcpr2000 "DisplayName" obj[27]=RegValue : software\microsoft\windows\currentversion\uninstall\unwcpr2000 "" obj[50]=RegValue : software\microsoft\internet explorer\main\ins "2000" obj[237]=Folder : C:\Program Files\Web_Cpr obj[248]=File : C:\WINDOWS\system32\WebRebates_Auto_InstallSilent.exe obj[281]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208288.exe obj[282]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208287.exe obj[323]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208041.exe obj[324]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208040.exe obj[334]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206974.exe obj[335]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206973.exe obj[403]=File : C:\Program Files\Web_Cpr\WebCpr1.exe obj[404]=File : C:\Program Files\Web_Cpr\Sy2000\Sy2000\2000_2.dat obj[406]=File : C:\Program Files\Web_Cpr\disp2000.exe ISTBAR »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[9]=Regkey : S-1-5-18\software\iesearchbar obj[10]=Regkey : .DEFAULT\software\iesearchbar obj[54]=Regkey : software\microsoft\downloadmanager obj[412]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip obj[413]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip BROADCASTPC »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[11]=Regkey : software\wast obj[12]=RegValue : software\wast "ID" obj[13]=RegValue : software\wast "DT" obj[14]=RegValue : software\wast "CF" obj[21]=Regkey : software\microsoft\windows\currentversion\uninstall\wast obj[22]=RegValue : software\microsoft\windows\currentversion\uninstall\wast "UninstallString" obj[23]=RegValue : software\microsoft\windows\currentversion\uninstall\wast "DisplayName" obj[40]=RegValue : software\microsoft\windows\currentversion\run "Wast" obj[42]=RegValue : software\microsoft\windows\currentversion\run "breg" obj[107]=Regkey : software\btv obj[108]=RegValue : software\btv "GroupID" obj[239]=Folder : C:\Program Files\TV Media obj[242]=Folder : C:\Program Files\BTV obj[243]=Process : C:\Program Files\Bpt\bpt.exe obj[245]=File : C:\WINDOWS\wast2.exe obj[261]=File : C:\WINDOWS\at.aut obj[262]=File : C:\WINDOWS\ast_4_in.exe obj[321]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208055.exe obj[333]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206984.exe obj[419]=File : C:\Program Files\Common Files\Java\breg.cfg obj[420]=File : C:\Program Files\Common Files\Java\bcre.exe obj[421]=File : C:\Program Files\Common Files\Java\bcre.cfg obj[422]=File : C:\Program Files\BTV\btvclean.exe obj[423]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glm7.tmp obj[424]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glm6.tmp obj[425]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glk6.tmp obj[426]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glk4.tmp obj[427]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glc4.tmp obj[428]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glc3.tmp obj[429]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glc2.tmp obj[430]=File : C:\DOCUME~1\ADAMRO~1\LOCALS~1\Temp\glc1.tmp obj[431]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLM7.tmp obj[432]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLM6.tmp obj[433]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLK6.tmp obj[434]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLK4.tmp obj[435]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLC4.tmp obj[436]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLC3.tmp obj[437]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLC2.tmp obj[438]=File : C:\Documents and Settings\Adam Robertson\Local Settings\Temp\GLC1.tmp POSSIBLE BROWSER HIJACK ATTEMPT »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[28]=Regkey : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay obj[29]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "URLInfoAbout" obj[30]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "UninstallString" obj[31]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "Publisher" obj[32]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "HelpLink" obj[33]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "DisplayName" obj[34]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "DisplayIcon" obj[35]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "Contact" obj[36]=RegValue : Software\Microsoft\Windows\CurrentVersion\Uninstall\Magic Inlay "Comments" obj[52]=RegData : Software\Microsoft\Internet Explorer\Main "Search Bar" obj[55]=Regkey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} obj[56]=RegValue : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} "SystemComponent" obj[57]=RegValue : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} "Installer" obj[58]=Regkey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000} obj[59]=RegValue : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000} "SystemComponent" obj[60]=RegValue : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000} "Installer" BARGAINBUDDY »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[43]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{ce188402-6ee7-4022-8868-ab25173a3e14} obj[44]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{ce188402-6ee7-4022-8868-ab25173a3e14} "" obj[45]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344} obj[46]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{aeecbfda-12fa-4881-bdce-8c3e1ce4b344} "" obj[138]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516e2a3} obj[139]=Regkey : typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516c2e3} obj[151]=Regkey : nls.urlcatcher obj[152]=Regkey : nls.urlcatcher.1 obj[153]=RegValue : nls.urlcatcher.1 "" obj[154]=RegValue : nls.urlcatcher "" obj[169]=Regkey : interface\{c6906a23-4717-4e1f-b6fd-f06ebed12468} obj[170]=RegValue : interface\{c6906a23-4717-4e1f-b6fd-f06ebed12468} "" obj[171]=Regkey : interface\{c6906a23-4717-4e1f-b6fd-f06ebed11357} obj[172]=RegValue : interface\{c6906a23-4717-4e1f-b6fd-f06ebed11357} "" obj[175]=Regkey : interface\{8eee58d5-130e-4cbd-9c83-35a0564e2468} obj[176]=RegValue : interface\{8eee58d5-130e-4cbd-9c83-35a0564e2468} "" obj[177]=Regkey : interface\{8eee58d5-130e-4cbd-9c83-35a0564e1357} obj[178]=RegValue : interface\{8eee58d5-130e-4cbd-9c83-35a0564e1357} "" obj[202]=Regkey : cb.urlcatcher obj[203]=Regkey : cb.urlcatcher.1 obj[204]=RegValue : cb.urlcatcher.1 "" obj[205]=RegValue : cb.urlcatcher "" obj[241]=Folder : C:\Program Files\NaviSearch obj[252]=File : C:\WINDOWS\system32\mbbi8016.dll obj[253]=File : C:\WINDOWS\system32\instsrv.exe obj[278]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0208298.exe obj[279]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0208297.exe obj[280]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0208296.dll obj[283]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208279.exe obj[285]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208277.exe obj[286]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208275.exe obj[287]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208274.vxd obj[288]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208273.exe obj[289]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208272.srg obj[290]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208271.exe obj[291]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208270.exe obj[292]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208269.exe obj[293]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208268.exe obj[311]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208216.exe obj[312]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208205.exe obj[313]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208191.exe obj[314]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208181.exe obj[315]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP314\A0208164.exe obj[316]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP314\A0208153.exe obj[317]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208147.exe obj[318]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208129.exe obj[319]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208085.exe obj[320]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208070.exe obj[322]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208051.exe obj[328]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208022.exe obj[329]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208010.exe obj[330]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0207999.exe obj[331]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206998.exe obj[332]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206986.exe obj[336]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206962.exe obj[337]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206950.exe obj[338]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206938.exe obj[339]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206926.exe obj[340]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206885.exe obj[341]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0206874.exe obj[342]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP312\A0206863.exe obj[343]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP312\A0206852.exe obj[344]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP311\A0206847.exe obj[345]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP310\A0206828.exe obj[346]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP310\A0206786.exe obj[347]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP310\A0206776.exe obj[348]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206770.exe obj[349]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206747.exe obj[350]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206692.exe obj[351]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206637.exe obj[352]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206617.exe obj[353]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206600.exe obj[354]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0206589.exe obj[355]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0205588.exe obj[356]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0205566.exe obj[357]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP309\A0205552.exe obj[358]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP308\A0204532.exe obj[359]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP308\A0203532.exe obj[360]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP308\A0203522.exe obj[361]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203518.exe obj[365]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203495.exe obj[366]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203469.exe obj[367]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203434.exe obj[368]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203423.exe obj[369]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203404.exe obj[370]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203386.exe obj[371]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203383.exe obj[372]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203342.exe obj[373]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203312.exe obj[374]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203295.exe obj[375]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203267.exe obj[376]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0203238.exe obj[377]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP306\A0202291.exe obj[378]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP305\A0202273.exe obj[379]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP304\A0202198.exe obj[380]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP304\A0202186.exe obj[381]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP303\A0202181.exe obj[382]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP303\A0202169.exe obj[383]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0202123.exe obj[384]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0202111.exe obj[385]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0202092.exe obj[386]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0202079.exe obj[387]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0201079.exe obj[388]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0200079.exe obj[389]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0199079.exe obj[390]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0199064.exe obj[391]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP302\A0199051.exe obj[392]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP301\A0199018.exe obj[393]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP301\A0199006.exe obj[394]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP300\A0199002.exe obj[395]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP300\A0198981.exe obj[396]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP300\A0198963.exe obj[397]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP300\A0198949.exe obj[398]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP299\A0198935.exe obj[399]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP299\A0198899.exe obj[400]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP299\A0198886.exe obj[401]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP299\A0198872.exe SEARCH RELEVANCY »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[47]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{1d7e3b41-23ce-469b-be1b-a64b877923e1} obj[48]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{1d7e3b41-23ce-469b-be1b-a64b877923e1} "" obj[148]=Regkey : searchrelevancy obj[149]=RegValue : searchrelevancy "" VX2 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[51]=RegValue : software\microsoft\internet explorer\main\featurecontrol\feature_window_restrictions "iexplore.exe" obj[123]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}" obj[414]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip WINDUPDATES »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[61]=Regkey : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} obj[62]=RegValue : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} "SystemComponent" obj[63]=RegValue : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6} "Installer" obj[236]=Folder : C:\Program Files\WindUpdates obj[254]=File : C:\WINDOWS\system32\ide21201.vxd obj[259]=File : C:\WINDOWS\downloaded program files\BridgeX.inf obj[308]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208220.exe obj[309]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208219.exe obj[310]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208218.dll obj[402]=File : C:\Program Files\windupdates\Info.txt CLICKSPRING »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[64]=Regkey : software\clickspring obj[65]=RegValue : software\clickspring "UUID" obj[66]=RegValue : software\clickspring "PID" obj[143]=Regkey : typelib\{46605c8c-d306-4e2d-b367-9b53690cb867}\1.0 obj[144]=RegValue : typelib\{46605c8c-d306-4e2d-b367-9b53690cb867}\1.0 "" obj[145]=Regkey : typelib\{46605c8c-d306-4e2d-b367-9b53690cb867} obj[163]=Regkey : mediaticketsinstaller.mediaticketsinstallerctrl.1 obj[164]=RegValue : mediaticketsinstaller.mediaticketsinstallerctrl.1 "" obj[188]=Regkey : interface\{81eb72d7-3949-450f-b035-de599959814f} obj[189]=RegValue : interface\{81eb72d7-3949-450f-b035-de599959814f} "" obj[192]=Regkey : interface\{3e4c3e0b-6bbe-4c94-86ca-6f055a989693} obj[193]=RegValue : interface\{3e4c3e0b-6bbe-4c94-86ca-6f055a989693} "" obj[196]=Regkey : clsid\{9eb320ce-be1d-4304-a081-4b4665414bef} obj[197]=RegValue : clsid\{9eb320ce-be1d-4304-a081-4b4665414bef} "" obj[200]=Regkey : clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7} obj[201]=RegValue : clsid\{39da2444-065f-47cb-b27c-ccb1a39c06b7} "" obj[244]=Process : C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe obj[258]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.ocx PROMULGATE »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[67]=Regkey : software\classes\vccpgdataaccess.pgdataaccessctrl.1 obj[68]=RegValue : software\classes\vccpgdataaccess.pgdataaccessctrl.1 "" obj[70]=Regkey : software\classes\typelib\{2a7db8d1-43be-4ad3-a81e-9bb8c9d00073} obj[83]=Regkey : software\classes\interface\{41700749-a109-4254-af13-be54011e8783} obj[84]=RegValue : software\classes\interface\{41700749-a109-4254-af13-be54011e8783} "" obj[85]=Regkey : software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610} obj[86]=RegValue : software\classes\interface\{2bb15d36-43be-4743-a3a0-3308f4b1a610} "" obj[89]=Regkey : software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839} obj[90]=RegValue : software\classes\clsid\{d0070620-1e72-42e7-a14c-3a255ad31839} "" obj[91]=Regkey : software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865} obj[92]=RegValue : software\classes\clsid\{a8bd9566-9895-4fa3-918d-a51d4cd15865} "" ALTNETBDE »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[95]=Regkey : software\classes\appid\altnet signing module.exe obj[96]=RegValue : software\classes\appid\altnet signing module.exe "AppID" obj[97]=Regkey : software\classes\appid\adm.exe obj[98]=RegValue : software\classes\appid\adm.exe "AppID" obj[99]=Regkey : software\classes\adm4.adm4 obj[100]=Regkey : software\classes\adm4.adm4.1 obj[101]=RegValue : software\classes\adm4.adm4.1 "" obj[102]=RegValue : software\classes\adm4.adm4 "" obj[103]=Regkey : software\classes\adm25.adm25 obj[104]=Regkey : software\classes\adm25.adm25.1 obj[105]=RegValue : software\classes\adm25.adm25.1 "" obj[106]=RegValue : software\classes\adm25.adm25 "" obj[264]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209346.dll obj[265]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209345.exe obj[266]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209344.exe obj[267]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209343.dll obj[268]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209342.dll obj[269]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209341.dll obj[270]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209340.dll obj[271]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209339.exe obj[272]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209338.dll obj[273]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209337.dll obj[274]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209333.exe obj[275]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209331.dll obj[276]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209329.exe obj[294]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208264.dll obj[295]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208263.exe obj[296]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208262.exe obj[297]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208261.dll obj[298]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208260.dll obj[299]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208259.dll obj[300]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208258.dll obj[301]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208257.exe obj[302]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208256.dll obj[303]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208255.dll obj[304]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208251.exe obj[305]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208249.dll obj[306]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208247.exe obj[325]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208030.dll obj[326]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208027.exe obj[327]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP313\A0208026.exe IBIS TOOLBAR »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[115]=Regkey : software\microsoft\mediaplayer\control\playbar obj[116]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrViewed" obj[117]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrStatic" obj[118]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrShadow" obj[119]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrHighlight" obj[120]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrForeColor" obj[121]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrDownload" obj[122]=RegValue : software\microsoft\mediaplayer\control\playbar "ClrBackColor" obj[411]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip RADS01.QUADROGRAM »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[124]=RegValue : software\microsoft\internet explorer\main "Enable Browser Extensions" obj[284]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208278.exe ADROAR »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[125]=Regkey : software\adroarplugin obj[126]=RegValue : software\adroarplugin "Update" obj[127]=RegValue : software\adroarplugin "InstallationDate" obj[128]=RegValue : software\adroarplugin "ID" obj[129]=RegValue : software\adroarplugin "dcount" obj[130]=RegValue : software\adroarplugin "configName" obj[131]=RegValue : software\adroarplugin "AddUrl" obj[257]=File : C:\WINDOWS\IEP.exe obj[263]=File : C:\WINDOWS\artmmp.ini FLASHENHANCERBHO »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[132]=Regkey : unawareobj.unawareobj obj[133]=Regkey : unawareobj.unawareobj.1 obj[134]=RegValue : unawareobj.unawareobj.1 "" obj[135]=RegValue : unawareobj.unawareobj "" obj[140]=Regkey : typelib\{48e832ec-b061-49e2-bbc1-ac818623b742}\1.0 obj[141]=RegValue : typelib\{48e832ec-b061-49e2-bbc1-ac818623b742}\1.0 "" obj[142]=Regkey : typelib\{48e832ec-b061-49e2-bbc1-ac818623b742} obj[179]=Regkey : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\typelib obj[180]=RegValue : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\typelib "Version" obj[181]=RegValue : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\typelib "" obj[182]=Regkey : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\proxystubclsid obj[183]=Regkey : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\proxystubclsid32 obj[184]=RegValue : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\proxystubclsid32 "" obj[185]=RegValue : interface\{890089b7-b385-442f-97b6-99060e8bd08f}\proxystubclsid "" obj[186]=Regkey : interface\{890089b7-b385-442f-97b6-99060e8bd08f} obj[187]=RegValue : interface\{890089b7-b385-442f-97b6-99060e8bd08f} "" obj[417]=File : C:\Program Files\Common Files\Java\Xcpy1.exe obj[418]=File : C:\Program Files\Common Files\Java\Xcpy1.cfg WINFAVORITES »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[136]=Regkey : typelib\{c094876d-1b0e-46fa-b6a6-7ffc0f970c27} obj[165]=Regkey : jao.jao obj[166]=Regkey : jao.jao.1 obj[167]=RegValue : jao.jao.1 "" obj[168]=RegValue : jao.jao "" obj[173]=Regkey : interface\{b88a3af1-4f1b-4400-8ffb-3fcb108ce115} obj[174]=RegValue : interface\{b88a3af1-4f1b-4400-8ffb-3fcb108ce115} "" obj[190]=Regkey : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12} obj[191]=RegValue : interface\{4fdbdbad-fefe-4c4c-9cc1-1181052afb12} "" WINDOWS »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[150]=RegData : scrfile\shell\open\command "" TRACKING COOKIE »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[206]=IECache Entry : Cookie:adam robertson@~~local~~/ obj[207]=IECache Entry : Cookie:adam robertson@z1.adserver.com/ obj[208]=IECache Entry : Cookie:adam robertson@www.shopathomeselect.com/ obj[209]=IECache Entry : Cookie:adam robertson@www.clickedyclick.com/ obj[210]=IECache Entry : Cookie:adam robertson@www.cibleclick.com/ obj[211]=IECache Entry : Cookie:adam robertson@www.adwareremovergold.com/ obj[212]=IECache Entry : Cookie:adam robertson@valuead.com/ obj[213]=IECache Entry : Cookie:adam robertson@tripod.com/ obj[214]=IECache Entry : Cookie:adam robertson@tribalfusion.com/ obj[215]=IECache Entry : Cookie:adam robertson@tradedoubler.com/ obj[216]=IECache Entry : Cookie:adam robertson@serving-sys.com/ obj[217]=IECache Entry : Cookie:adam robertson@servedby.netshelter.net/ obj[218]=IECache Entry : Cookie:adam robertson@revenue.net/ obj[219]=IECache Entry : Cookie:adam robertson@realmedia.com/ obj[220]=IECache Entry : Cookie:adam robertson@questionmarket.com/ obj[221]=IECache Entry : Cookie:adam robertson@overture.com/ obj[222]=IECache Entry : Cookie:adam robertson@linksynergy.com/ obj[223]=IECache Entry : Cookie:adam robertson@jmbugo.cjt1.net/HTM/693/0 obj[224]=IECache Entry : Cookie:adam robertson@jmbi24.cjt1.net/HTM/791/0 obj[225]=IECache Entry : Cookie:adam robertson@jimcna.cjt1.net/HTM/296/0 obj[226]=IECache Entry : Cookie:adam robertson@fortunecity.com/ obj[227]=IECache Entry : Cookie:adam robertson@findwhat.com/ obj[228]=IECache Entry : Cookie:adam robertson@fastclick.net/ obj[229]=IECache Entry : Cookie:adam robertson@etype.adbureau.net/ obj[230]=IECache Entry : Cookie:adam robertson@ehg-bskyb.hitbox.com/ obj[231]=IECache Entry : Cookie:adam robertson@casalemedia.com/ obj[232]=IECache Entry : Cookie:adam robertson@bs.serving-sys.com/ obj[233]=IECache Entry : Cookie:adam robertson@atdmt.com/ obj[234]=IECache Entry : Cookie:adam robertson@as1.falkag.de/ obj[235]=IECache Entry : Cookie:adam robertson@apmebf.com/ EBATES MONEYMAKER »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[238]=Folder : C:\Program Files\WebSavingsfromEbates obj[405]=File : C:\Program Files\Web_Cpr\Sy2000\Sy2000\2000_1.dat obj[407]=File : C:\Program Files\websavingsfromebates\WebSavings_README.txt obj[408]=File : C:\Program Files\websavingsfromebates\WebSavingsfromEbates.inf EZULA »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[246]=File : C:\WINDOWS\system32\Xcite2.exe obj[255]=File : C:\WINDOWS\system32\ezSt4.exe VIRTUALBOUNCER »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[247]=File : C:\WINDOWS\system32\WrapperOuter.exe FAVORITEMAN »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[249]=File : C:\WINDOWS\system32\vg.dat obj[250]=File : C:\WINDOWS\system32\v.dat obj[251]=File : C:\WINDOWS\system32\SplWbr.dll obj[256]=File : C:\WINDOWS\system32\drivers\etc\hosts.bho CYDOOR »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[277]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP316\A0209328.dll obj[307]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP315\A0208244.dll obj[410]=File : C:\Program Files\PestPatrol\Quarantine\20050401144110084.zip TVMEDIA »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[362]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203510.dll obj[363]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203509.dll obj[364]=File : C:\System Volume Information\_restore{134AD484-E341-4322-8048-58D4DE156F96}\RP307\A0203501.exe JAJSOFT.CSRS »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[415]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip WEBHANCER »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[416]=File : C:\Program Files\PestPatrol\Quarantine\20040413215238954.zip

Mosaic1 View Member Profile	Apr 21 2005, 02:41 AM Post #2
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	You do not want to use system restore now. Your restore points are infested. I'll be back shortly with some advice.

Mosaic1 View Member Profile	Apr 21 2005, 03:20 AM Post #3
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	You will be restarting into Safe mode later. Go here for directions if you need help: http://service1.symantec.com/SUPPORT/tsgen...001052409420406 -------- Because XP will not always show you hidden files and folders by default. Reset your search settings first. Open Folder Options>view and check your settings: Select Show hidden files and folders Display the contents of system folders Uncheck: Hide protected operating system files Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click. Be sure the first three boxes are selected: Search System folders Search Hidden Files and folders Search SubFolders -------- Go to Add Remove Programs and uninstall: (if there) Web CPR and /or WCPR --------------- Restart into Safe mode. Go to start >Run and type hijackthis press enter Do not open anything else. Select the following items and press Fix checked: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939 - (no file) O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [dd268fc6d452] C:\WINDOWS\system32\capesnpn.exe O4 - HKLM\..\Run: [WebCpr0] C:\Program Files\Web_Cpr\WebCpr0.exe O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe" O4 - HKLM\..\Run: [d3e94e685ac2] C:\WINDOWS\system32\batmeter.exe O4 - HKLM\..\Run: [BTV] c:\Program Files\BTV\btv.exe O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) Delete these files: C:\WINDOWS\system32\capesnpn.exe C:\WINDOWS\system32\Searchx.htm C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe C:\WINDOWS\system32\batmeter.exe Delete these folders: c:\Program Files\Flen C:\Program Files\LiveUpdate c:\Program Files\BTV C:\WINDOWS\system32\nsvsvc C:\Program Files\Web_Cpr C:\Program Files\Bpt Empty your Temporary Internet Files and history in Internet Options. And clean out your Temp folder. Go to start>Run and type %TEMP% Press enter to open your temp folder It's a good idea to do that regularly. Go to Control Panel> Internet Options>Programs Click the reset Web Settings Button to reset your home and search pages. --------------------------- Flush your system restore points: To flush the XP system Restore Points. Go to Start>Run and type msconfig Press enter. When msconfig opens, click the Launch System Restore Button. On the next page, click the System Restore Settings Link on the left. Check the box labeled Turn off System restore. ------------ Run Ad-Aware again and allow it to clean anything it finds. ------------ Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created. Test to be sure System Restore is working. If not, let me know. ------------ Go for free online Virus scans here: http://housecall.trendmicro.com/housecall/start_corp.asp http://www.pandasoftware.com/activescan/ Allow Tredn Micro to clean. Panda will not clean, but it will create log. Be sure to do that and then post that log along with a new Hijackthis log and a report on how everything went.

Lotus View Member Profile	Apr 21 2005, 12:21 PM Post #4
New Member Group: Member Posts: 4 Joined: 20-April 05 Member No.: 14670	Hello again! Followed your instructions and I have listed below the few things I came across whilst I was doing everything. Also I have pasted the new HijackThis log file below. System restore working great now thanks. All previous restore dates have been deleted and the new one dated today (as a result of your instructions) works fine. Web CPR is still present on the list on Add Remove Programs screen and when I attempted to remove it, it flashed the following message and still remains on the list! VJView Error (Title) ERROR: Could not execute Main: The system cannot find the file specified. While in safe mode and in the HijackThis program, the following items on the list you gave me did not appear: (However, they are present on the new HijackThis log pasted below, as to save me typing I have just copied and pasted them from the new log below) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe Delete these files list (these files were not there in safe mode): C:\WINDOWS\system32\Searchx.htm C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe Delete these folders list (these folders were not there in safe mode) C:\Program Files\BTV C:\WINDOWS\system32\nsvsvc C:\Program Files\Web_Cpr Online Virus scans: Trend Micro – Congratulations! No viruses found ….. message received. Panda – Copy of screen report pasted below (at end) I’m not sure this worked OK as it was very quick (like a couple of seconds) and all the columns show 0, and I copied the screen report as it didn’t seem to have anywhere to access a report/log. Hope this all makes sense. Many thanks, Kate :-) Logfile of HijackThis v1.99.1 Scan saved at 12:55:12, on 21/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\PROGRA~1\INTRIG~1\pcbodyguard.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\Eraser\eraser.exe C:\Program Files\CConnect\CConnect.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Works\MSWorks.exe C:\Documents and Settings\Adam Robertson\My Documents\Coco Kate\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\4.bin\MYBAR.DLL O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [PCBG] C:\PROGRA~1\INTRIG~1\pcbodyguard.exe /start O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/zuma/popcaploader_v5.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Panda Scan (no report/log available) Scan finished System Files Messages Scanned Yes 0 0 Infected - 0 0 Suspicious - 0 0 Disinfected - 0 0 No viruses have been found. To keep your computer permanently protected against viruses, install the antivirus solution that best suits your needs. No viruses have been found!

Mosaic1 View Member Profile	Apr 21 2005, 08:22 PM Post #5
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	QUOTE Web CPR is still present on the list on Add Remove Programs screen and when I attempted to remove it, it flashed the following message and still remains on the list! VJView Error (Title) ERROR: Could not execute Main: The system cannot find the file specified. That's normal. We removed the folder containing the uninstall file. I generally do not use uninstallers for Spyware found in Add Remove Programs. That uninstall key is an orphan and can be removed using Hijackthis. Open Hijackthis and press the config key. Press Misc Tools. Click the Open Uninstall Manager Button Find the entry you want to delete on the list, highlight it and then click the Delete this entry button. ------------------ In regular Windows mode fix these items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe -------------- See if these are present in Regular windows Mode and delete them if you find them: (AD-Aware may have removed them. You did allow it to remove anything it found, I hope. ) Delete these files list (these files were not there in safe mode): C:\WINDOWS\system32\Searchx.htm C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe Delete these folders list (these folders were not there in safe mode) C:\Program Files\BTV C:\WINDOWS\system32\nsvsvc C:\Program Files\Web_Cpr ------------ Fix these using Hijackthis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm R3 - Default URLSearchHook is missing O4 - HKCU\..\Run: [Tede] C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe -------------------- The Panda Scan didn't run for some reason. See if a Kaspersky online scan finds anything: http://www.kaspersky.com/beta?product=161744315 Post a new Hijackthis log when you finish and letr me know how the scan goes.

Lotus View Member Profile	Apr 22 2005, 01:49 PM Post #6
New Member Group: Member Posts: 4 Joined: 20-April 05 Member No.: 14670	Hello, Kaspersky ran OK, took an age!! But identified 6 viruses (have written down details of filenames if you want them), they were mostly in PestPatrol Quarantine files. Unable to find the following in normal or safe mode (I did allow Ad-Aware to remove anything it found so that’s probably why yeah?!) C:\WINDOWS\system32\Searchx.htm C:\Documents and Settings\Adam Robertson\Application Data\sceo.exe C:\Program Files\BTV C:\WINDOWS\system32\nsvsvc C:\Program Files\Web_Cpr However, did find C:\WINDOWS\system32\nsvsvc32.exe – is that the correct file? I haven’t done anything to it yet! One other thing … I downloaded the Microsoft Anti Spyware Beta 1 and having run it I got the following list of items. Should I delete these now, or wait until we’ve finished this other stuff first? TV Media Display Adware Internet Keyword Adware Twain Tech Adware BroadcastPC Unclassified.Spyware.Loader DelFin.Media Viewer Spytech NetVizor Marketscore.Internet Accelerator Virtual Bouncer TurboDownload SpyAnywhere Morpheus eXact.Cashback AvenueMedia.DyFuCA Thanks for getting back to me about this, your help is much appreciated :-) Kate Logfile of HijackThis v1.99.1 Scan saved at 14:35:37, on 22/04/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVPersonal\AVGUARD.EXE C:\Program Files\AVPersonal\AVWUPSRV.EXE C:\WINDOWS\System32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\PROGRA~1\INTRIG~1\pcbodyguard.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\AVPersonal\AVGNT.EXE C:\Program Files\Eraser\eraser.exe C:\Program Files\CConnect\CConnect.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Works\MSWorks.exe C:\Documents and Settings\Adam Robertson\My Documents\Coco Kate\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\4.bin\MYBAR.DLL O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe O4 - HKLM\..\Run: [PCBG] C:\PROGRA~1\INTRIG~1\pcbodyguard.exe /start O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/zuma/popcaploader_v5.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Mosaic1 View Member Profile	Apr 22 2005, 08:29 PM Post #7
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	Hi Kate, You're welcome. I think you may have mistyped this one: nsvvc32.exe Is probably this legitimate Nvidia file. For your video. nvsvc32.exe Let the Microsoft Anti Spyware Beta program clean out what it listed. It found orphaned leftovers.Things we don't do manually. Your log looks good. I have some advice about these anti spyware protection programs running in the background. Keep the programs but run only one at a time. They can interfere with each other and cause problems. You have the MS and Pest Patrol Programs set to run at startup. Choose one or the other. Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future. http://www.computercops.biz/postt7736.html

Lotus View Member Profile	Apr 22 2005, 08:58 PM Post #8
New Member Group: Member Posts: 4 Joined: 20-April 05 Member No.: 14670	Brilliant .. you're a star! Have had no more pop ups and things are running much faster. I'll go get keyed up on security issues now! Cheers mate :-)

Mosaic1 View Member Profile	Apr 23 2005, 01:48 AM Post #9
Most Respected SuperExpert Group: Member Posts: 4576 Joined: 9-June 04 Member No.: 8164	That sounds like a plan. I'll close this one now since it is resolved. If you need it re-opened because this issue has returned, PM an Admin or Mod to help you. Anyone else, please start your own topic and someone will help.

« Next Oldest · HELP! Think you are Infected? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 20th November 2009 - 11:48 PM

Licensed to: Gladiator-Antivirus-Forums

Design by: Skins IPB & Web Browsers