robecker HJT log - Page 2

robecker · 01-11-2005, 08:06 PM

Re-directed in 8 seconds to:

http://isg01.casalemedia.com/V2/39759/40813/

MicroBell · 01-12-2005, 01:57 AM

Right click this file and check it's properties...C:\WINDOWS\system32\hh.exe ON the version tab..it should say MicroSoft.

Download DLLCompare http://www.greyknight17.com/spy/DllCompare.exe

Please put it in a folder on the root drive (C:\)
Click the Run locate.com button
When the scan is complete click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete.
Click the button Make a Log of what was Found

Post that log.

**Note** Only if you get an error after pressing Run Locate.com:
Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder..

robecker · 01-12-2005, 05:39 PM

* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,320 items found: 1,320 files, 0 directories.
Total of file sizes: 274,528,974 bytes 261.81 M

Administrator Account = True

--------------------End log---------------------

MicroBell · 01-12-2005, 09:42 PM

HUmmm.. Guess we bring out the big guns.

Run AdawareSE again..and have it save the log. Post the log here.

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Download and unzip
http://castlecops.com/zx/Zupe/Find%20It%20NT-2K-XP.zip
Double-click on find.bat inside the folder to run it. It should run for a while, then open a text document. Please copy and paste the contents of that document here.

DownloadFind-qoologic.zip from my attachment here.
Umonitor among others
1. Unzip (It must be unzipped) the files to a folder on your desktop.
2. Open the qoologic folder, run qoologic.bat from there and wait for it to finish.
3. It will take awhile so wait until the dos window disappears and disk activity stops.
4. Then open the text file it created… found here c:\log.txt and paste the contents into your next post.

Open hijackthis...click...config..misctools. Check the 2 box’s next to "Generate Startup List" and then click "Generate Startup List". Post that log in your next post.

Navigate to C:\WINDOWS\system32\drivers\etc highlight the Hosts file right click and open it with wordpad. Paste the contents of the file in this post.

robecker · 01-14-2005, 06:38 PM

Ad-Aware SE Build 1.05
Logfile Created on:Friday, January 14, 2005 9:01:01 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R25 11.01.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
eUniverse(TAC index:10):2 total references
Tracking Cookie(TAC index:3):13 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

1-14-2005 9:01:01 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 588
ThreadCreationTime : 1-15-2005 1:32:44 AM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 652
ThreadCreationTime : 1-15-2005 1:32:45 AM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 676
ThreadCreationTime : 1-15-2005 1:32:45 AM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 720
ThreadCreationTime : 1-15-2005 1:32:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 732
ThreadCreationTime : 1-15-2005 1:32:45 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 904
ThreadCreationTime : 1-15-2005 1:32:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 980
ThreadCreationTime : 1-15-2005 1:32:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1072
ThreadCreationTime : 1-15-2005 1:32:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1120
ThreadCreationTime : 1-15-2005 1:32:46 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 1-15-2005 1:32:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1456
ThreadCreationTime : 1-15-2005 1:32:48 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:12 [guarddog.exe]
FilePath : C:\Program Files\McAfee\McAfee Privacy Service\
ProcessID : 1500
ThreadCreationTime : 1-15-2005 1:32:48 AM
BasePriority : Normal
FileVersion : 6.02.1063.0
ProductVersion : 6.02.1063.0
ProductName : McAfee Privacy Service
CompanyName : Network Associates, Inc.
FileDescription : McAfee Privacy Service Application
InternalName : IG32
LegalCopyright : Copyright © 2003 Networks Associates Technology, Inc. All rights reserved
OriginalFilename : GUARDDOG.EXE

#:13 [ctsvccda.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1668
ThreadCreationTime : 1-15-2005 1:32:59 AM
BasePriority : Normal
FileVersion : 1.0.1.0
ProductVersion : 1.0.0.0
ProductName : Creative Service for CDROM Access
CompanyName : Creative Technology Ltd
FileDescription : Creative Service for CDROM Access
InternalName : CTsvcCDAEXE
LegalCopyright : Copyright (c) Creative Technology Ltd., 1999. All rights reserved.
OriginalFilename : CTsvcCDA.EXE

#:14 [mcvsrte.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 1712
ThreadCreationTime : 1-15-2005 1:32:59 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 12
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Real-time Engine
InternalName : mcvsrte
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsrte.exe
Comments : McAfee VirusScan Real-time Engine

#:15 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 1732
ThreadCreationTime : 1-15-2005 1:32:59 AM
BasePriority : Normal
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
ProductName : McAfee Personal Firewall
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2000,2001
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service

#:16 [msksrvr.exe]
FilePath : C:\PROGRA~1\McAfee\SPAMKI~1\
ProcessID : 1748
ThreadCreationTime : 1-15-2005 1:32:59 AM
BasePriority : Normal
FileVersion : 5.1.0.7
ProductVersion : 5.1
ProductName : McAfee SpamKiller
CompanyName : Networks Associates Technology. Inc.
FileDescription : McAfee SpamKiller Server
InternalName : MSKSRVR
LegalCopyright : Copyright © 1998-2004, Networks Associates Technology, Inc.
OriginalFilename : MSKSRVR.EXE

#:17 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1960
ThreadCreationTime : 1-15-2005 1:33:04 AM
BasePriority : Normal
FileVersion : 6.14.10.4501
ProductVersion : 6.14.10.4501
ProductName : NVIDIA Driver Helper Service, Version 45.01
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.01
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:18 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2016
ThreadCreationTime : 1-15-2005 1:33:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:19 [mspmspsv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 172
ThreadCreationTime : 1-15-2005 1:33:04 AM
BasePriority : Normal
FileVersion : 7.00.00.1954
ProductVersion : 7.00.00.1954
ProductName : Microsoft (R) DRM
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
LegalCopyright : Copyright (C) Microsoft Corp. 1981-2000
OriginalFilename : MSPMSPSV.EXE

#:20 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 212
ThreadCreationTime : 1-15-2005 1:33:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:21 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 496
ThreadCreationTime : 1-15-2005 1:33:05 AM
BasePriority : High

#:22 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 968
ThreadCreationTime : 1-15-2005 1:33:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:23 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 184
ThreadCreationTime : 1-15-2005 1:52:58 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:24 [guarddog.exe]
FilePath : C:\Program Files\McAfee\McAfee Privacy Service\
ProcessID : 1548
ThreadCreationTime : 1-15-2005 1:52:58 AM
BasePriority : Normal
FileVersion : 6.02.1063.0
ProductVersion : 6.02.1063.0
ProductName : McAfee Privacy Service
CompanyName : Network Associates, Inc.
FileDescription : McAfee Privacy Service Application
InternalName : IG32
LegalCopyright : Copyright © 2003 Networks Associates Technology, Inc. All rights reserved
OriginalFilename : GUARDDOG.EXE

#:25 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ProcessID : 1620
ThreadCreationTime : 1-15-2005 1:53:00 AM
BasePriority : Normal
FileVersion : 2, 1, 1, 0
ProductVersion : 1, 0, 0, 1
ProductName : Dell Support
CompanyName : Dell
FileDescription : Support
InternalName : Support
LegalCopyright : Copyright © 2002
OriginalFilename : Support.exe

#:26 [mcvsshld.exe]
FilePath : C:\PROGRA~1\mcafee.com\vso\
ProcessID : 240
ThreadCreationTime : 1-15-2005 1:53:00 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 15
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : msvcshld
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsshld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:27 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1956
ThreadCreationTime : 1-15-2005 1:53:00 AM
BasePriority : Normal
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
ProductName : RealOne Player (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2002
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe

#:28 [tgcmd.exe]
FilePath : C:\Program Files\Support.com\bin\
ProcessID : 244
ThreadCreationTime : 1-15-2005 1:53:00 AM
BasePriority : Normal
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
ProductName : Support.com Scheduler and Command Dispatcher
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
LegalCopyright : Copyright 1997-2069 Support.com
OriginalFilename : TGCMD.EXE

#:29 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ProcessID : 2036
ThreadCreationTime : 1-15-2005 1:53:00 AM
BasePriority : Normal

#:30 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ProcessID : 1288
ThreadCreationTime : 1-15-2005 1:53:01 AM
BasePriority : Normal
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE

#:31 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 220
ThreadCreationTime : 1-15-2005 1:53:01 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 30
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:32 [mskagent.exe]
FilePath : C:\PROGRA~1\McAfee\SPAMKI~1\
ProcessID : 976
ThreadCreationTime : 1-15-2005 1:53:02 AM
BasePriority : Normal
FileVersion : 5, 0, 0, 4
ProductVersion : 5, 0, 0, 0
ProductName : McAfee SpamKiller
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee SpamKiller Agent Interface module
InternalName : MskAgent
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : MskAgent.exe

#:33 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 548
ThreadCreationTime : 1-15-2005 1:53:02 AM
BasePriority : Normal
FileVersion : 5.0.1.5
ProductVersion : 5.0.1.5
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
LegalCopyright : Copyright © 2000-2003 Networks Associates Technologies, Inc.
OriginalFilename : MPFTRAY.EXE
Comments : Tray Icon for McAfee Personal Firewall

#:34 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ProcessID : 1884
ThreadCreationTime : 1-15-2005 1:53:02 AM
BasePriority : Normal
FileVersion : 8.10.1006
ProductVersion : 8.10.1006
ProductName : MUSICMATCH JUKEBOX
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
LegalCopyright : Copyright © MUSICMATCH 1998-2003
LegalTrademarks :
OriginalFilename : mm_tray.exe

#:35 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ProcessID : 1624
ThreadCreationTime : 1-15-2005 1:53:03 AM
BasePriority : Normal
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
LegalCopyright : TODO: (c) <Company name>. All rights reserved.
OriginalFilename : mmtask.exe

#:36 [cmgrdian.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Guardian\
ProcessID : 2056
ThreadCreationTime : 1-15-2005 1:53:04 AM
BasePriority : Normal
FileVersion : 3.01.1028.0
ProductVersion : 3.01.1028.0
ProductName : McAfee Windows Guardian
CompanyName : Network Associates, Inc.
FileDescription : McAfee Guardian Agent
InternalName : CMGrdian
LegalCopyright : Copyright © 1997-2001 Network Associates, Inc. All rights reserved
OriginalFilename : CMGrdian.exe

#:37 [intelmem.exe]
FilePath : C:\Program Files\Intel\Modem Event Monitor\
ProcessID : 2100
ThreadCreationTime : 1-15-2005 1:53:04 AM
BasePriority : Normal
FileVersion : 0, 1, 0, 10
ProductVersion : 0, 1, 0, 10
ProductName : Intel Modem Event Monitor Application
CompanyName : Intel Corporation
FileDescription : Modem Event Monitor Application
InternalName : Modem Event Monitor
LegalCopyright : Copyright (C) 2003
OriginalFilename : IntelMEM.exe

#:38 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 2144
ThreadCreationTime : 1-15-2005 1:53:04 AM
BasePriority : Normal
FileVersion : 1.04.05b
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2003 Sonic Solutions

#:39 [hpoorn07.exe]
FilePath : C:\Program Files\new\HP OfficeJet K80\AiO\hp officejet k series\Bin\
ProcessID : 2344
ThreadCreationTime : 1-15-2005 1:53:07 AM
BasePriority : Normal
FileVersion : 2.00
ProductVersion : A.14.05.09
ProductName : hp officejet k series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOORN07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOORN07.EXE
Comments : HP OfficeJet K Series COM Device Objects

#:40 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2484
ThreadCreationTime : 1-15-2005 1:53:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:41 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 2500
ThreadCreationTime : 1-15-2005 1:53:07 AM
BasePriority : Normal
FileVersion : 5.1.0.8
ProductVersion : 5.1.0.8
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
LegalCopyright : Copyright © 2000-2004 Networks Associates Technologies, Inc.
OriginalFilename : MPFAGENT.EXE
Comments : McAfee Personal Firewall Security Center Module

#:42 [msbntray.exe]
FilePath : C:\Program Files\Microsoft Broadband Networking\
ProcessID : 2576
ThreadCreationTime : 1-15-2005 1:53:09 AM
BasePriority : Normal
FileVersion : 2.2.731
ProductVersion : 2.2.731
ProductName : Microsoft Broadband Networking Software
CompanyName : Microsoft Corporation
FileDescription : Microsoft Broadband Networking Tray Application
InternalName : MSBNTray.exe
LegalCopyright : Copyright © 1995-2004 Microsoft Corporation
OriginalFilename : MSBNTray.exe

#:43 [diagent.exe]
FilePath : C:\Program Files\Creative\SBLive\Diagnostics\
ProcessID : 2880
ThreadCreationTime : 1-15-2005 1:53:15 AM
BasePriority : Normal
FileVersion : 1, 1, 4, 0
ProductVersion : 1.01.04
ProductName : Creative Diagnostics Agent
CompanyName : Creative Technology Ltd
FileDescription : Creative Diagnostics Agent
InternalName : Creative Diagnostics Agent
LegalCopyright : Copyright (C) 2002 Creative Technology Ltd
OriginalFilename : diagent.exe

#:44 [hpoevm07.exe]
FilePath : C:\PROGRA~1\new\HPOFFI~1\AiO\Shared\Bin\
ProcessID : 2888
ThreadCreationTime : 1-15-2005 1:53:15 AM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.05.09
ProductName : hp officejet k series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOEVM07.EXE
Comments : HP OfficeJet COM Event Manager

#:45 [hposts07.exe]
FilePath : C:\Program Files\new\HP OfficeJet K80\AiO\Shared\bin\
ProcessID : 2980
ThreadCreationTime : 1-15-2005 1:53:16 AM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.05.09
ProductName : hp officejet k series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOCPY07.EXE
Comments : HP OfficeJet Status

#:46 [hpofxm07.exe]
FilePath : C:\Program Files\new\HP OfficeJet K80\AiO\Shared\bin\
ProcessID : 2992
ThreadCreationTime : 1-15-2005 1:53:16 AM
BasePriority : Normal
FileVersion : 1.00
ProductVersion : A.14.05.09
ProductName : hp officejet k series
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet G Series Fax Manager
InternalName : HPOFXM07
LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2000
OriginalFilename : HPOFXM07.EXE
Comments : HP OfficeJet G Series Fax Manager

#:47 [hpoipm07.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 3004
ThreadCreationTime : 1-15-2005 1:53:16 AM
BasePriority : Normal
FileVersion : 4, 5, 0, 767
ProductVersion : 4, 5, 0, 767
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:48 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 3656
ThreadCreationTime : 1-15-2005 1:53:59 AM
BasePriority : Normal
FileVersion : 4.7.3000
ProductVersion : Version 4.7.3000
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 2004
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:49 [mcvsftsn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 3716
ThreadCreationTime : 1-15-2005 1:54:00 AM
BasePriority : Normal
FileVersion : 8, 0, 0, 20
ProductVersion : 8, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee VirusScan Instant Messenger Scan Module
InternalName : mcvsftsn
LegalCopyright : Copyright © 1998-2003 Networks Associates Technology, Inc
OriginalFilename : mcvsftsn.EXE
Comments : McAfee VirusScan Instant Messenger Scan Module

#:50 [ad-aware.exe]
FilePath : C:\PROGRA~1\new\HIJACK~1\ADAWAR~1\AD-AWA~1\
ProcessID : 3228
ThreadCreationTime : 1-15-2005 2:00:54 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:51 [hh.exe]
FilePath : C:\WINDOWS\
ProcessID : 840
ThreadCreationTime : 1-15-2005 2:00:54 AM
BasePriority : Normal
FileVersion : 5.2.3790.1159 (dnsrv.040209-1620)
ProductVersion : 5.2.3790.1159
ProductName : HTML Help
CompanyName : Microsoft Corporation
FileDescription : Microsoft® HTML Help Executable
InternalName : HH 1.41
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : HH.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bob@trafficmp[2].txt
Category : Data Miner
Comment : Hits:45
Value : Cookie:bob@trafficmp.com/
Expires : 1-14-2006 9

38 PM
LastSync : Hits:45
UseCount : 0
Hits : 45

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bob@casalemedia[2].txt
Category : Data Miner
Comment : Hits:25
Value : Cookie:bob@casalemedia.com/
Expires : 1-5-2006 3:53:52 PM
LastSync : Hits:25
UseCount : 0
Hits : 25

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : bob@zedo[2].txt
Category : Data Miner
Comment : Hits:8
Value : Cookie:bob@zedo.com/
Expires : 1-9-2015 10:46:58 PM
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 3
Objects found so far: 3

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

eUniverse Object Recognized!
Type : File
Data : kbdummy.dll
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Bob\Local Settings\Temp\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : terese@questionmarket[1].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Terese\Cookies\terese@questionmarket[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@doubleclick[1].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@doubleclick[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@ehg-dig.hitbox[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@ehg-dig.hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@hitbox[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@hitbox[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@linksynergy[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@linksynergy[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@mediaplex[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@mediaplex[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@questionmarket[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@questionmarket[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@trafficmp[2].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@trafficmp[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@www.commission-junction[1].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@www.commission-junction[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : ltt@www.qksrv[1].txt
Category : Data Miner
Comment :
Value : C:\RECYCLER\S-1-5-21-3210500978-1510997706-409661707-1007\Dc8\ltt@www.qksrv[1].txt

eUniverse Object Recognized!
Type : File
Data : A0000043.dll
Category : Data Miner
Comment :
Object : C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : exe_in_dll Module
FileDescription : exe_in_dll Module
InternalName : exe_in_dll
LegalCopyright : Copyright 2001
OriginalFilename : exe_in_dll.DLL

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 15

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

9:07:37 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00

35.953
Objects scanned:113540
Objects identified:15
Objects ignored:0
New critical objects:15

"Silent Runners.vbs", revision 29, launched at: 21:14
Output limited to non-default values, except where indicated by "{++}"
Operating System: Windows XP SP2

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sonic RecordNow!" = (no data)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DwlClient" = "C:\Program Files\Common Files\Dell\EUSW\Support.exe" ["Dell"]
"VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]
"VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"tgcmd" = ""C:\Program Files\Support.com\bin\tgcmd.exe" /server" ["Support.com, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"PCMService" = ""C:\Program Files\Dell\Media Experience\PCMService.exe"" ["CyberLink Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["Networks Associates Technology, Inc."]
"MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["Networks Associates Technology, Inc"]
"MPFTray" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"MMTray" = "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"McAfee Guardian" = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU" ["Network Associates, Inc."]
"IntelMeM" = "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" ["Intel Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"diagent" = ""C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup" ["Creative Technology Ltd"]
"McRegWiz" = "c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\new\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "DriveLetterAccess" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
{cc4b2ee5-4803-11d7-8a38-00b0d0c6b814}\(Default) = "McAfee Privacy Service Helper Object" [from CLSID]
-> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL" ["Network Associates, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> CLSID InProcServer32 resolves to: "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Sonic\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> CLSID InProcServer32 resolves to: "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> CLSID InProcServer32 resolves to: "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\NEW\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\NEW\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\NEW\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\NEW\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MI1933~1\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> CLSID InProcServer32 resolves to: "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS]

Startup items in "Bob" & "All Users" startup folders:
-----------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HPAiODevice(hp officejet k series) - 1" -> shortcut to: "C:\Program Files\new\HP OfficeJet K80\AiO\hp officejet k series\Bin\hpoorn07.exe -DeviceID 1081618256" ["Hewlett-Packard Co."]
"Microsoft Broadband Networking" -> shortcut to: "C:\WINDOWS\Installer\{8CC15633-2327-43F4-BA85-B83FDB4B59BE}\_18be6784.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"McAfee Privacy Service Anti-Spyware Scan" -> launches: "C:\PROGRA~1\McAfee\MCAFEE~3\swdetect.exe /SCHEDULEDSCAN" ["Network Associates, Inc."]
"McAfee.com Scan for Viruses - My Computer (LTBDELL2-Bob)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["Networks Associates Technology, Inc"]
"McAfee.com Scan for Viruses - My Computer (LTBDELL2-Terese)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["Networks Associates Technology, Inc"]
"McAfee.com Update Check (LTBDELL2-Bob)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]
"McAfee.com Update Check (LTBDELL2-Terese)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe" ["McAfee Corporation"]
McAfee Privacy Service, GuardDogEXE, ""C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE" ["Network Associates, Inc."]
McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["Networks Associates Technology. Inc."]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["Network Associates, Inc."]
McAfee.com VirusScan Online Realtime Engine, MCVSRte, "c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding" ["Networks Associates Technology, Inc"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Program Files\new\HIJACK This\Castle Cops\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D8A1-59EB

Directory of C:\WINDOWS\System32

09/30/2004 09:28 PM <DIR> DLLCACHE
03/18/2004 12:11 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 110,323,793,920 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is D8A1-59EB

Directory of C:\WINDOWS\System32

09/30/2004 09:28 PM <DIR> DLLCACHE
09/03/2002 02:33 PM 488 logonui.exe.manifest
09/03/2002 02:33 PM 488 WindowsLogon.manifest
09/03/2002 02:33 PM 749 nwc.cpl.manifest
09/03/2002 02:33 PM 749 sapi.cpl.manifest
09/03/2002 02:33 PM 749 ncpa.cpl.manifest
09/03/2002 02:33 PM 749 wuaucpl.cpl.manifest
09/03/2002 02:33 PM 749 cdplayer.exe.manifest
7 File(s) 4,721 bytes
1 Dir(s) 110,323,793,920 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is D8A1-59EB

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is D8A1-59EB

Directory of C:\WINDOWS\System32

08/29/2002 06:00 AM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 110,323,789,824 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MSKDetectorExe"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MSKDetct.exe /startup"
"MSKAGENTEXE"="C:\\PROGRA~1\\McAfee\\SPAMKI~1\\MskAgent.exe"
"MPFTray"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"McAfee Guardian"="C:\\Program Files\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe /SU"
"IntelMeM"="C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"McRegWiz"="c:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

CTSNKY · 01-14-2005, 07:26 PM

Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:

127.0.0.1 localhost

If you have anything after that, please post them here.

==========

Run CleanUp! again.

Reboot and report back on pop-ups. If better, post a fresh HJT log.

robecker · 01-15-2005, 08:13 AM

I missed this step in the previouspost, here's the log:

C:\Documents and Settings\Bob\Desktop\qoologic\qoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack

Files Found in all users startup Folder............

StartupList report, 1/15/2005, 11:09:44 AM
StartupList version: 1.52.2
Started from : C:\Program Files\new\HIJACK This\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\new\HP OfficeJet K80\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\new\HPOFFI~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\new\HP OfficeJet K80\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\new\HP OfficeJet K80\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\new\HIJACK This\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Bob\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\new\HP OfficeJet K80\AiO\hp officejet k series\Bin\hpoorn07.exe
Microsoft Broadband Networking.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sonic RecordNow! =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\Current

01-11-2005, 08:06 PM	#21 (permalink)
robecker Registered User Join Date: Jan 2005 Posts: 17 OS: XP Pro	Not Yet.... Re-directed in 8 seconds to: http://isg01.casalemedia.com/V2/39759/40813/

01-12-2005, 01:57 AM	#22 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,952 OS: Windows XP-Pro SP2	Right click this file and check it's properties...C:\WINDOWS\system32\hh.exe ON the version tab..it should say MicroSoft. Download DLLCompare http://www.greyknight17.com/spy/DllCompare.exe Please put it in a folder on the root drive (C:\) Click the Run locate.com button When the scan is complete click the Compare button. It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box. In a few minutes it will complete. Click the button Make a Log of what was Found Post that log. Note Only if you get an error after pressing Run Locate.com: Copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-12-2005, 05:39 PM	#23 (permalink)
robecker Registered User Join Date: Jan 2005 Posts: 17 OS: XP Pro	DLL Compare Log * DLLCompare Log version(1.0.0.125) Files Found that Windows does not See or cannot Access *Not everything listed here means you are infected! ________________________________________________ O^E says: "There were no files found :)" ________________________________________________ 1,320 items found: 1,320 files, 0 directories. Total of file sizes: 274,528,974 bytes 261.81 M Administrator Account = True --------------------End log---------------------

01-12-2005, 09:42 PM	#24 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,952 OS: Windows XP-Pro SP2	HUmmm.. Guess we bring out the big guns. Run AdawareSE again..and have it save the log. Post the log here. Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Download and unzip http://castlecops.com/zx/Zupe/Find%20It%20NT-2K-XP.zip Double-click on find.bat inside the folder to run it. It should run for a while, then open a text document. Please copy and paste the contents of that document here. DownloadFind-qoologic.zip from my attachment here. Umonitor among others 1. Unzip (It must be unzipped) the files to a folder on your desktop. 2. Open the qoologic folder, run qoologic.bat from there and wait for it to finish. 3. It will take awhile so wait until the dos window disappears and disk activity stops. 4. Then open the text file it created… found here c:\log.txt and paste the contents into your next post. Open hijackthis...click...config..misctools. Check the 2 box’s next to "Generate Startup List" and then click "Generate Startup List". Post that log in your next post. Navigate to C:\WINDOWS\system32\drivers\etc highlight the Hosts file right click and open it with wordpad. Paste the contents of the file in this post. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-14-2005, 07:26 PM	#26 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Go to c:\windows\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like: 127.0.0.1 localhost If you have anything after that, please post them here. ========== Run CleanUp! again. Reboot and report back on pop-ups. If better, post a fresh HJT log. __________________ GO BIG BLUE!!