Hi, I am a newbie to all this and i see i am infected by the famous netsearchsoft , please can someone help me, i have posted my hijackthis log
regards
tim
ps i have already chexked and deleted the file that showed the netsearchsoft name and this is a copy of the log after that. If i shut down or reboot the file comes back!!!
Logfile of HijackThis v1.97.7
Scan saved at 17:46:26, on 04/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\flagfind\hide bags.exe
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Tim\LOCALS~1\Temp\Rar$EX10.22256\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67722F0F-38C8-41B7-A54C-2FCB6AA2EA9E}: NameServer = 194.168.4.100 194.168.8.100
Full Version: netsearchsoft removal
Hi
I would greatly appreciate help in removal of this problem, below is my log file
regards
tim
Logfile of HijackThis v1.97.7
Scan saved at 16:36:59, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\flagfind\hide bags.exe
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Tim\LOCALS~1\Temp\Rar$EX00.041\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
I would greatly appreciate help in removal of this problem, below is my log file
regards
tim
Logfile of HijackThis v1.97.7
Scan saved at 16:36:59, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\flagfind\hide bags.exe
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Tim\LOCALS~1\Temp\Rar$EX00.041\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...p://about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
Hi Tim,
We're not ignoring you - we are just backlogged on the number of help requests here.
Did you download and UPDATE then run Adaware? If so, do you see Ref File #01R302 03.05.2004 loaded ?
If not, follow these steps to download, install and update then scan again. Let us see a new log in case you have a undetected new variant of this hijacker and I will need to give you manual removal instructions.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
We're not ignoring you - we are just backlogged on the number of help requests here.
Did you download and UPDATE then run Adaware? If so, do you see Ref File #01R302 03.05.2004 loaded ?
If not, follow these steps to download, install and update then scan again. Let us see a new log in case you have a undetected new variant of this hijacker and I will need to give you manual removal instructions.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
(choose download from the lefthand menu)
Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from
http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)
Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.
After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.
Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file
Then click *proceed* to save settings.
Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion
Click on *proceed*
Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.
Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
hi,
yes i have updated adaware and have show the log for you here, also the hijack this log.
I followed the instructions and after rebooting the problem came straight back even though adaware could find any problems.
Help!!!
Logfile of HijackThis v1.97.7
Scan saved at 20:45:24, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\flagfind\hide bags.exe
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67722F0F-38C8-41B7-A54C-2FCB6AA2EA9E}: NameServer = 194.168.4.100 194.168.8.100
adaware log
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :05 May 2004 20:35:37
Created with Ad-aware Personal, free for private use.
Using reference-file :01R302 03.05.2004
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
05-05-2004 20:35:37 - Scan started. (Smart mode)
Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 05-05-2004 19:34:55
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:35:00
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 05-05-2004 19:35:00
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:9 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 92 KB
FileVersion : 2, 3, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright © SEIKO EPSON CORP. 2000-2001
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
OriginalFilename : SAgent2.exe
ProductName : EPSON Bidirectional Printer
Created on : 19/02/2004 11:03:33
Last accessed : 04/05/2004 23:00:00
Last modified : 17/07/2002 01:03:00
#:10 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright © Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 09:07:30
Last accessed : 04/05/2004 23:00:00
Last modified : 23/02/2001 09:07:30
#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6.13.10.3638
ProductVersion : 6.13.10.3638
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 36.38
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 36.38
Created on : 09/09/2002 10:09:38
Last accessed : 04/05/2004 23:00:00
Last modified : 24/07/2002 22:18:00
#:12 [slserv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 44 KB
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
Copyright : Copyright
FileDescription : User-Level Modem Service
InternalName : slserv
OriginalFilename : slserv.exe
ProductName : Modem
Created on : 29/11/2001 07:39:14
Last accessed : 04/05/2004 23:00:00
Last modified : 29/11/2001 07:39:14
#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:14 [tmesbs32.exe]
FilePath : C:\Program Files\TOSHIBA\TME3\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2, 1, 1, 11
ProductVersion : 2, 1, 0, 1
Copyright : Copyright © TOSHIBA Corp.1998-2002
CompanyName : TOSHIBA Corporation
FileDescription : tmesbs32
InternalName : tmesbs3
OriginalFilename : tmesbs32.exe
ProductName : TOSHIBA Mobile Extension Slim Select Bay Service
Created on : 09/09/2002 11:11:16
Last accessed : 04/05/2004 23:00:00
Last modified : 07/08/2002 10:24:18
#:15 [00thotkey.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 240 KB
FileVersion : 1, 0, 0, 12
ProductVersion : 5, 0, 0, 0
Copyright : Copyright © 1999 -2001
CompanyName : TOSHIBA Corp.
FileDescription : THotkey
InternalName : THotkey
OriginalFilename : THotkey.exe
ProductName : TOSHIBA THotkey
Created on : 09/09/2002 11:00:18
Last accessed : 04/05/2004 23:00:00
Last modified : 13/05/2002 08:12:46
#:16 [tpwrtray.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 212 KB
FileVersion : 5.07.14
ProductVersion : 5.07
Copyright : Copyright 1999-2002 TOSHIBA Corporation.
CompanyName : TOSHIBA Corporation
FileDescription : TOSHIBA Power Saver
InternalName : Tpwrtray
OriginalFilename : Tpwrtray.exe
ProductName : TOSHIBA Power Saver
Created on : 09/09/2002 11:09:15
Last accessed : 04/05/2004 23:00:00
Last modified : 19/03/2002 19:38:26
#:17 [tfncky.exe]
FilePath : C:\Program Files\TOSHIBA\TOSHIBA Controls\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 144 KB
FileVersion : 2.02.00
ProductVersion : 2.02.00
Copyright : Copyright 1997-2002 TOSHIBA Corporation. All rights reserved.
CompanyName : TOSHIBA Corporation
FileDescription : TFncKy
InternalName : TFncKy
OriginalFilename : TFncKy.EXE
ProductName : TFncKy
Created on : 09/09/2002 11:10:52
Last accessed : 04/05/2004 23:00:00
Last modified : 23/07/2002 08:31:58
#:18 [tdispvol.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 96 KB
Created on : 09/09/2002 11:10:52
Last accessed : 04/05/2004 23:00:00
Last modified : 02/03/2002 11:40:10
#:19 [tmesbs32.exe]
FilePath : C:\Program Files\TOSHIBA\TME3\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2, 1, 1, 11
ProductVersion : 2, 1, 0, 1
Copyright : Copyright © TOSHIBA Corp.1998-2002
CompanyName : TOSHIBA Corporation
FileDescription : tmesbs32
InternalName : tmesbs3
OriginalFilename : tmesbs32.exe
ProductName : TOSHIBA Mobile Extension Slim Select Bay Service
Created on : 09/09/2002 11:11:16
Last accessed : 04/05/2004 23:00:00
Last modified : 07/08/2002 10:24:18
#:20 [tfnf5.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 72 KB
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
Copyright : Copyright
CompanyName : Toshiba Corp.
FileDescription : TFnF5
InternalName : TFnF5
OriginalFilename : TFnF5.Exe
ProductName : Toshiba Hotkey Utility for Display Devices
Created on : 09/09/2002 10:16:38
Last accessed : 04/05/2004 23:00:00
Last modified : 26/06/2002 13:43:16
#:21 [toshkcw.exe]
FilePath : C:\Program Files\TOSHIBA\Wireless Hotkey\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 48 KB
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
Copyright : Copyright © 2001-2002 TOSHIBA CORPORATION
CompanyName : TOSHIBA CORPORATION
FileDescription : Wireless Hotkey
InternalName : Wireless Hotkey EXE
OriginalFilename : TosHKCW.EXE
ProductName : Wireless Hotkey
Created on : 09/09/2002 11:13:20
Last accessed : 04/05/2004 23:00:00
Last modified : 22/01/2002 17:20:50
#:22 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 124 KB
FileVersion : 6.7.6 16Aug02
ProductVersion : 6.7.6 16Aug02
Copyright : Copyright © Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
OriginalFilename : SynTPLpr.exe
ProductName : Progressive Touch
Created on : 09/09/2002 10:09:21
Last accessed : 04/05/2004 23:00:00
Last modified : 16/08/2002 09:43:14
#:23 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 544 KB
FileVersion : 6.7.6 16Aug02
ProductVersion : 6.7.6 16Aug02
Copyright : Copyright © Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
OriginalFilename : SynTPEnh.exe
ProductName : Progressive Touch
Created on : 09/09/2002 10:09:20
Last accessed : 04/05/2004 23:00:00
Last modified : 16/08/2002 15:18:22
#:24 [touched.exe]
FilePath : C:\Program Files\TOSHIBA\TouchED\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 120 KB
FileVersion : 2, 0, 1, 4
ProductVersion : 2, 0, 1, 4
Copyright : Copyright 1998-2002 TOSHIBA Corporation. All rights reserved.
CompanyName : TOSHIBA Corporation
FileDescription : TouchPad On/Off Utility
InternalName : TouchED
OriginalFilename : TouchED.exe
ProductName : TouchPad On/Off Utility
Created on : 09/09/2002 12:17:31
Last accessed : 04/05/2004 23:00:00
Last modified : 01/08/2002 15:22:42
#:25 [cpadfstr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\CPad\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 20 KB
Created on : 27/04/2003 20:53:16
Last accessed : 04/05/2004 23:00:00
Last modified : 25/08/2002 07:39:54
#:26 [alarmwatcher.exe]
FilePath : C:\Program Files\Synaptics\SynTP\cPad\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 140 KB
Created on : 27/04/2003 20:53:19
Last accessed : 04/05/2004 23:00:00
Last modified : 22/07/2002 13:55:20
#:27 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 1076 KB
FileVersion : 3.39.0
ProductVersion : 3.39.0
Copyright : Copyright © ahead software gmbh and its licensors
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
OriginalFilename : InCD.EXE
ProductName : InCD
Created on : 02/09/2003 20:44:56
Last accessed : 04/05/2004 23:00:00
Last modified : 12/09/2002 17:13:18
#:28 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 03/02/2004 16:05:43
Last accessed : 04/05/2004 23:00:00
Last modified : 03/02/2004 16:05:46
#:29 [e_s10ic2.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 73 KB
FileVersion : 3.05
ProductVersion : 3.05
Copyright : Copyright © SEIKO EPSON CORP. 2002
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
OriginalFilename : E_S10IC2.EXE
ProductName : EPSON Status Monitor 3
Created on : 19/02/2004 11:03:32
Last accessed : 04/05/2004 23:00:00
Last modified : 01/07/2002 02:05:00
#:30 [hide bags.exe]
FilePath : C:\PROGRA~1\flagfind\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 227 KB
Created on : 09/04/2004 19:32:55
Last accessed : 04/05/2004 23:00:00
Last modified : 03/05/2004 06:50:42
#:31 [taumon.exe]
FilePath : C:\PROGRA~1\AGNITUM\TAUSCA~1.7\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 122 KB
FileVersion : 1.7.0.1414
ProductVersion : 1.7.0.1414
Copyright : Copyright © 1999-2004 Agnitum Ltd.
CompanyName : Agnitum Ltd.
FileDescription : Tau monitor
InternalName : Taumon
OriginalFilename : Taumon.EXE
ProductName : Tau monitor
Created on : 14/04/2004 13:03:58
Last accessed : 04/05/2004 23:00:00
Last modified : 07/04/2004 14:03:22
#:32 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 02/05/2004 09:12:43
Last accessed : 04/05/2004 23:00:00
Last modified : 02/05/2004 09:12:44
#:33 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:34 [mnyexpr.exe]
FilePath : C:\Program Files\Microsoft Money\System\
ThreadCreationTime : 05-05-2004 19:35:05
BasePriority : Normal
FileSize : 196 KB
FileVersion : 11.00.0716
ProductVersion : 11.00.0716
Copyright : Copyright © Microsoft Corp. 1990-2001. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : mnyexpr
OriginalFilename : mnyexpr.exe
ProductName : Microsoft Money
Created on : 17/07/2002 10:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 17/07/2002 10:00:00
#:35 [cmags.exe]
FilePath : C:\Program Files\Wireless\Client Manager\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 332 KB
Created on : 31/12/1999 22:03:44
Last accessed : 04/05/2004 23:00:00
Last modified : 28/05/2002 05:45:42
#:36 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\YAHOO!\MESSEN~1\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 64 KB
Created on : 04/06/2003 01:17:11
Last accessed : 04/05/2004 23:00:00
Last modified : 04/02/2002 17:15:00
#:37 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 164 KB
FileVersion : 1.8.0
ProductVersion : 1, 8, 0, 0
Copyright : Copyright 1999-2003 InterVideo, Inc. All rights reserved.
CompanyName : InterVideo Inc.
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
OriginalFilename : WinCinemaMgr.EXE
ProductName : WinCinema Manager for InterVideo WinCinema products
Created on : 09/09/2002 12:14:27
Last accessed : 04/05/2004 23:00:00
Last modified : 22/10/2003 06:14:26
#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 05-05-2004 19:35:18
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 14/04/2004 12:12:02
Last accessed : 04/05/2004 23:00:00
Last modified : 12/07/2003 21:00:20
Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 0
20:37:47 Scan complete
Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:02:09:677
Objects scanned :53636
Objects identified :0
Objects ignored :0
New objects :0
yes i have updated adaware and have show the log for you here, also the hijack this log.
I followed the instructions and after rebooting the problem came straight back even though adaware could find any problems.
Help!!!
Logfile of HijackThis v1.97.7
Scan saved at 20:45:24, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\flagfind\hide bags.exe
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67722F0F-38C8-41B7-A54C-2FCB6AA2EA9E}: NameServer = 194.168.4.100 194.168.8.100
adaware log
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :05 May 2004 20:35:37
Created with Ad-aware Personal, free for private use.
Using reference-file :01R302 03.05.2004
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
05-05-2004 20:35:37 - Scan started. (Smart mode)
Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 05-05-2004 19:34:55
BasePriority : Normal
#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : High
#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:34:58
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:35:00
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 05-05-2004 19:35:00
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:9 [sagent2.exe]
FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 92 KB
FileVersion : 2, 3, 0, 0
ProductVersion : 1, 0, 0, 0
Copyright : Copyright © SEIKO EPSON CORP. 2000-2001
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Printer Status Agent
InternalName : SAgent2
OriginalFilename : SAgent2.exe
ProductName : EPSON Bidirectional Printer
Created on : 19/02/2004 11:03:33
Last accessed : 04/05/2004 23:00:00
Last modified : 17/07/2002 01:03:00
#:10 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright © Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 23/02/2001 09:07:30
Last accessed : 04/05/2004 23:00:00
Last modified : 23/02/2001 09:07:30
#:11 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:01
BasePriority : Normal
FileSize : 60 KB
FileVersion : 6.13.10.3638
ProductVersion : 6.13.10.3638
Copyright : © NVIDIA Corporation. All rights reserved.
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 36.38
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 36.38
Created on : 09/09/2002 10:09:38
Last accessed : 04/05/2004 23:00:00
Last modified : 24/07/2002 22:18:00
#:12 [slserv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 44 KB
FileVersion : 2.80.00(24Apr2000)
ProductVersion : 2.80.00
Copyright : Copyright
FileDescription : User-Level Modem Service
InternalName : slserv
OriginalFilename : slserv.exe
ProductName : Modem
Created on : 29/11/2001 07:39:14
Last accessed : 04/05/2004 23:00:00
Last modified : 29/11/2001 07:39:14
#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:14 [tmesbs32.exe]
FilePath : C:\Program Files\TOSHIBA\TME3\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2, 1, 1, 11
ProductVersion : 2, 1, 0, 1
Copyright : Copyright © TOSHIBA Corp.1998-2002
CompanyName : TOSHIBA Corporation
FileDescription : tmesbs32
InternalName : tmesbs3
OriginalFilename : tmesbs32.exe
ProductName : TOSHIBA Mobile Extension Slim Select Bay Service
Created on : 09/09/2002 11:11:16
Last accessed : 04/05/2004 23:00:00
Last modified : 07/08/2002 10:24:18
#:15 [00thotkey.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 240 KB
FileVersion : 1, 0, 0, 12
ProductVersion : 5, 0, 0, 0
Copyright : Copyright © 1999 -2001
CompanyName : TOSHIBA Corp.
FileDescription : THotkey
InternalName : THotkey
OriginalFilename : THotkey.exe
ProductName : TOSHIBA THotkey
Created on : 09/09/2002 11:00:18
Last accessed : 04/05/2004 23:00:00
Last modified : 13/05/2002 08:12:46
#:16 [tpwrtray.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 212 KB
FileVersion : 5.07.14
ProductVersion : 5.07
Copyright : Copyright 1999-2002 TOSHIBA Corporation.
CompanyName : TOSHIBA Corporation
FileDescription : TOSHIBA Power Saver
InternalName : Tpwrtray
OriginalFilename : Tpwrtray.exe
ProductName : TOSHIBA Power Saver
Created on : 09/09/2002 11:09:15
Last accessed : 04/05/2004 23:00:00
Last modified : 19/03/2002 19:38:26
#:17 [tfncky.exe]
FilePath : C:\Program Files\TOSHIBA\TOSHIBA Controls\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 144 KB
FileVersion : 2.02.00
ProductVersion : 2.02.00
Copyright : Copyright 1997-2002 TOSHIBA Corporation. All rights reserved.
CompanyName : TOSHIBA Corporation
FileDescription : TFncKy
InternalName : TFncKy
OriginalFilename : TFncKy.EXE
ProductName : TFncKy
Created on : 09/09/2002 11:10:52
Last accessed : 04/05/2004 23:00:00
Last modified : 23/07/2002 08:31:58
#:18 [tdispvol.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:02
BasePriority : Normal
FileSize : 96 KB
Created on : 09/09/2002 11:10:52
Last accessed : 04/05/2004 23:00:00
Last modified : 02/03/2002 11:40:10
#:19 [tmesbs32.exe]
FilePath : C:\Program Files\TOSHIBA\TME3\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 56 KB
FileVersion : 2, 1, 1, 11
ProductVersion : 2, 1, 0, 1
Copyright : Copyright © TOSHIBA Corp.1998-2002
CompanyName : TOSHIBA Corporation
FileDescription : tmesbs32
InternalName : tmesbs3
OriginalFilename : tmesbs32.exe
ProductName : TOSHIBA Mobile Extension Slim Select Bay Service
Created on : 09/09/2002 11:11:16
Last accessed : 04/05/2004 23:00:00
Last modified : 07/08/2002 10:24:18
#:20 [tfnf5.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 72 KB
FileVersion : 2, 0, 0, 0
ProductVersion : 2, 0, 0, 0
Copyright : Copyright
CompanyName : Toshiba Corp.
FileDescription : TFnF5
InternalName : TFnF5
OriginalFilename : TFnF5.Exe
ProductName : Toshiba Hotkey Utility for Display Devices
Created on : 09/09/2002 10:16:38
Last accessed : 04/05/2004 23:00:00
Last modified : 26/06/2002 13:43:16
#:21 [toshkcw.exe]
FilePath : C:\Program Files\TOSHIBA\Wireless Hotkey\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 48 KB
FileVersion : 2, 0, 0, 1
ProductVersion : 2, 0, 0, 1
Copyright : Copyright © 2001-2002 TOSHIBA CORPORATION
CompanyName : TOSHIBA CORPORATION
FileDescription : Wireless Hotkey
InternalName : Wireless Hotkey EXE
OriginalFilename : TosHKCW.EXE
ProductName : Wireless Hotkey
Created on : 09/09/2002 11:13:20
Last accessed : 04/05/2004 23:00:00
Last modified : 22/01/2002 17:20:50
#:22 [syntplpr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 124 KB
FileVersion : 6.7.6 16Aug02
ProductVersion : 6.7.6 16Aug02
Copyright : Copyright © Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : TouchPad Driver Helper Application
InternalName : SynTPLpr
OriginalFilename : SynTPLpr.exe
ProductName : Progressive Touch
Created on : 09/09/2002 10:09:21
Last accessed : 04/05/2004 23:00:00
Last modified : 16/08/2002 09:43:14
#:23 [syntpenh.exe]
FilePath : C:\Program Files\Synaptics\SynTP\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 544 KB
FileVersion : 6.7.6 16Aug02
ProductVersion : 6.7.6 16Aug02
Copyright : Copyright © Synaptics, Inc. 1996-2002
CompanyName : Synaptics, Inc.
FileDescription : Synaptics TouchPad Enhancements
InternalName : Scrolleroo
OriginalFilename : SynTPEnh.exe
ProductName : Progressive Touch
Created on : 09/09/2002 10:09:20
Last accessed : 04/05/2004 23:00:00
Last modified : 16/08/2002 15:18:22
#:24 [touched.exe]
FilePath : C:\Program Files\TOSHIBA\TouchED\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 120 KB
FileVersion : 2, 0, 1, 4
ProductVersion : 2, 0, 1, 4
Copyright : Copyright 1998-2002 TOSHIBA Corporation. All rights reserved.
CompanyName : TOSHIBA Corporation
FileDescription : TouchPad On/Off Utility
InternalName : TouchED
OriginalFilename : TouchED.exe
ProductName : TouchPad On/Off Utility
Created on : 09/09/2002 12:17:31
Last accessed : 04/05/2004 23:00:00
Last modified : 01/08/2002 15:22:42
#:25 [cpadfstr.exe]
FilePath : C:\Program Files\Synaptics\SynTP\CPad\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 20 KB
Created on : 27/04/2003 20:53:16
Last accessed : 04/05/2004 23:00:00
Last modified : 25/08/2002 07:39:54
#:26 [alarmwatcher.exe]
FilePath : C:\Program Files\Synaptics\SynTP\cPad\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 140 KB
Created on : 27/04/2003 20:53:19
Last accessed : 04/05/2004 23:00:00
Last modified : 22/07/2002 13:55:20
#:27 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 05-05-2004 19:35:03
BasePriority : Normal
FileSize : 1076 KB
FileVersion : 3.39.0
ProductVersion : 3.39.0
Copyright : Copyright © ahead software gmbh and its licensors
CompanyName : Copyright © ahead software gmbh and its licensors
FileDescription : InCD CD-RW UDF Tools
InternalName : InCD
OriginalFilename : InCD.EXE
ProductName : InCD
Created on : 02/09/2003 20:44:56
Last accessed : 04/05/2004 23:00:00
Last modified : 12/09/2002 17:13:18
#:28 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 03/02/2004 16:05:43
Last accessed : 04/05/2004 23:00:00
Last modified : 03/02/2004 16:05:46
#:29 [e_s10ic2.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 73 KB
FileVersion : 3.05
ProductVersion : 3.05
Copyright : Copyright © SEIKO EPSON CORP. 2002
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_S10IC2
OriginalFilename : E_S10IC2.EXE
ProductName : EPSON Status Monitor 3
Created on : 19/02/2004 11:03:32
Last accessed : 04/05/2004 23:00:00
Last modified : 01/07/2002 02:05:00
#:30 [hide bags.exe]
FilePath : C:\PROGRA~1\flagfind\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 227 KB
Created on : 09/04/2004 19:32:55
Last accessed : 04/05/2004 23:00:00
Last modified : 03/05/2004 06:50:42
#:31 [taumon.exe]
FilePath : C:\PROGRA~1\AGNITUM\TAUSCA~1.7\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 122 KB
FileVersion : 1.7.0.1414
ProductVersion : 1.7.0.1414
Copyright : Copyright © 1999-2004 Agnitum Ltd.
CompanyName : Agnitum Ltd.
FileDescription : Tau monitor
InternalName : Taumon
OriginalFilename : Taumon.EXE
ProductName : Tau monitor
Created on : 14/04/2004 13:03:58
Last accessed : 04/05/2004 23:00:00
Last modified : 07/04/2004 14:03:22
#:32 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 02/05/2004 09:12:43
Last accessed : 04/05/2004 23:00:00
Last modified : 02/05/2004 09:12:44
#:33 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 05-05-2004 19:35:04
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 31/12/1979 23:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 18/08/2001 13:00:00
#:34 [mnyexpr.exe]
FilePath : C:\Program Files\Microsoft Money\System\
ThreadCreationTime : 05-05-2004 19:35:05
BasePriority : Normal
FileSize : 196 KB
FileVersion : 11.00.0716
ProductVersion : 11.00.0716
Copyright : Copyright © Microsoft Corp. 1990-2001. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : mnyexpr
OriginalFilename : mnyexpr.exe
ProductName : Microsoft Money
Created on : 17/07/2002 10:00:00
Last accessed : 04/05/2004 23:00:00
Last modified : 17/07/2002 10:00:00
#:35 [cmags.exe]
FilePath : C:\Program Files\Wireless\Client Manager\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 332 KB
Created on : 31/12/1999 22:03:44
Last accessed : 04/05/2004 23:00:00
Last modified : 28/05/2002 05:45:42
#:36 [ymsgr_tray.exe]
FilePath : C:\PROGRA~1\YAHOO!\MESSEN~1\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 64 KB
Created on : 04/06/2003 01:17:11
Last accessed : 04/05/2004 23:00:00
Last modified : 04/02/2002 17:15:00
#:37 [wincinemamgr.exe]
FilePath : C:\Program Files\InterVideo\Common\Bin\
ThreadCreationTime : 05-05-2004 19:35:06
BasePriority : Normal
FileSize : 164 KB
FileVersion : 1.8.0
ProductVersion : 1, 8, 0, 0
Copyright : Copyright 1999-2003 InterVideo, Inc. All rights reserved.
CompanyName : InterVideo Inc.
FileDescription : WinCinema Manager
InternalName : WinCinema Manager
OriginalFilename : WinCinemaMgr.EXE
ProductName : WinCinema Manager for InterVideo WinCinema products
Created on : 09/09/2002 12:14:27
Last accessed : 04/05/2004 23:00:00
Last modified : 22/10/2003 06:14:26
#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 05-05-2004 19:35:18
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 14/04/2004 12:12:02
Last accessed : 04/05/2004 23:00:00
Last modified : 12/07/2003 21:00:20
Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Hosts file scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
1 entries scanned.
New objects :0
Objects found so far: 0
20:37:47 Scan complete
Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:02:09:677
Objects scanned :53636
Objects identified :0
Objects ignored :0
New objects :0
Thanks very much. Now if you could just first please go look at your Private Messages, I have sent you instructions to email me a couple folders (put them in a zip file please) so I can submit them for analysis.
Do that then follow these instructions for manual removal. First please print out these instructions so you have them handy because we will need to do all of this in safe mode.
Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Scan with HijackThis, place a x next to these items and then press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
Don't reboot yet! While still in SAFE MODE, search for and delete these folders (entire folder and it's contents)
C:\PROGRAM FILES\Htmatom
C:\PROGRAM FILES\flagfind
Now you can reboot back into normal mode. Please scan again with HijackThis and post a fresh log :)
Do that then follow these instructions for manual removal. First please print out these instructions so you have them handy because we will need to do all of this in safe mode.
Reboot your PC into SAFE MODE
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Scan with HijackThis, place a x next to these items and then press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netsearchsoft.com/passthrough/index...www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {9DD74C73-D305-5ACE-2C87-755C83A7E1F4} - C:\PROGRA~1\Htmatom\Intersixth.dll
O2 - BHO: Zero Popup - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Setup axis - {A316226B-A9AE-D1CE-6309-76C212B87AC7} - C:\PROGRA~1\Htmatom\Intersixth.dll
O4 - HKLM\..\Run: [PLUS BOWS] C:\PROGRA~1\flagfind\hide bags.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02e8fc8021ea08...ip/RdxIE601.cab
Don't reboot yet! While still in SAFE MODE, search for and delete these folders (entire folder and it's contents)
C:\PROGRAM FILES\Htmatom
C:\PROGRAM FILES\flagfind
Now you can reboot back into normal mode. Please scan again with HijackThis and post a fresh log :)
ok i had to do the instructions twice and here is the log
i seem to have lost the netsearch for now but homepage has reset to about blank
is there anything else i should do??
Logfile of HijackThis v1.97.7
Scan saved at 22:55:00, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
i seem to have lost the netsearch for now but homepage has reset to about blank
is there anything else i should do??
Logfile of HijackThis v1.97.7
Scan saved at 22:55:00, on 05/05/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TDispVol.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Wireless\Client Manager\CmAGS.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [cPadFstR] C:\Program Files\Synaptics\SynTP\CPad\cPadFstR.Exe
O4 - HKLM\..\Run: [cPadAlarm] C:\Program Files\Synaptics\SynTP\cPad\AlarmWatcher.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Wireless Client Manager.lnk = C:\Program Files\Wireless\Client Manager\CmAGS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Money Viewer (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: DigiChat Applet - http://host16.digichat.com/DigiChat/DigiCl...s/Client_IE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (FrontdoorFD Profile Manager Class) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200401...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
Use HijackThis to *fix checked* on this orphaned entry:
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
Then set your home page to whatever you like. I think you are good to go
Except for one very critical thing! Windows Updates - you need them right away - ALL of them. There are a number of new worms spreading like wildfire and you will soon be infected if you don't get that done.
Also, now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
O2 - BHO: (no name) - {1BDD55B8-3985-4E59-B906-5E0AD56D6710} - (no file)
Then set your home page to whatever you like. I think you are good to go
Except for one very critical thing! Windows Updates - you need them right away - ALL of them. There are a number of new worms spreading like wildfire and you will soon be infected if you don't get that done.
Also, now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?
One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
http://v4.windowsupdate.microsoft.com/en/default.asp
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.