Gladiator Security Forum > My HiJack this Log

frustrateduser

Jun 27 2004, 11:35 PM

Hey,

I've recently been infected with the coolwebsearch trojan, say two days ago...I downloaded a version of CWShredder did a search, and it always said "there is a version of coolwebsearch still downloading, please restart your browser and run cwshredder again to correct the problem." I did this to no avail, and continued runnings CWShredder with the same problems encountered. I left for the weekend, and came back and my computer was flooded with pop-ups, I tried running CWShredder again, but...it said that the coolwebsearchtrojan developed something to prevent CWShredder from working, and said it would open in another name to run, it opened in a different name but still was not able to complete (noting the same thing about a coolwebsearch bug getting on the machine that prevented it from working. Please please please help me get rid of this problem...

frustrated computer user...

*******************************

Note: I have detected the CWS trojan on my computer

Here is my log:

Logfile of HijackThis v1.97.7
Scan saved at 7:35:54 PM, on 6/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\services\msxmidi.exe
C:\WINNT\System32\hpha1mon.exe
C:\PROGRA~1\ZipCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
C:\WINNT\system32\dsfrhook.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\system32\iyus\pincgjnj.exe
C:\WINNT\System32\HPHipm07.exe
C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\sp2cconf.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\tisvcs.exe
C:\WINNT\system32\Iei1NKe7.exe
C:\WINNT\system32\Iei1NKe7.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\System32\hpha1mon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZipCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iyus] C:\WINNT\system32\iyus\pincgjnj.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\OhjOUeC1.exe
O4 - HKLM\..\Run: [03nP37e] dsfrhook.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [tisvcs] C:\WINNT\system32\tisvcs.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [H04FRXKtQ] sp2cconf.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.7034143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Please help, thanks...

frustrateduser

Jun 28 2004, 02:46 AM

Logfile of HijackThis v1.97.7
Scan saved at 10:43:41 PM, on 6/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\services\msxmidi.exe
C:\WINNT\System32\hpha1mon.exe
C:\PROGRA~1\ZipCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\system32\dsfrhook.exe
C:\WINNT\system32\iyus\ckggcglm.exe
C:\WINNT\System32\HPHipm07.exe
C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\sp2cconf.exe
C:\WINNT\system32\lntsesst.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINNT\system32\ZxcdcL.exe
C:\WINNT\system32\Iei1NKe7.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\system32\services\2.01.00.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\System32\hpha1mon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZipCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iyus] C:\WINNT\system32\iyus\ckggcglm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\OhjOUeC1.exe
O4 - HKLM\..\Run: [03nP37e] dsfrhook.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINNT\system32\bridge.dll",Load
O4 - HKLM\..\Run: [lntsesst] C:\WINNT\system32\lntsesst.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [H04FRXKtQ] sp2cconf.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.searchsquire.com/SearchSquire33.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.7034143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Hunter

Jun 28 2004, 03:15 AM

frustrateduser,

did you really read this thread ?

Guidelines for Posting in This Forum, READ THIS FIRST PLEASE
http://forum.gladiator-antivirus.com/index...showtopic=10517

Then also do these steps

If you are not using an Antispyware scanner, please download, install, update and run one of these free antispyware programs. This will remove the most commonly known types of spyware, hijackers and other common malware and will make our job easier.

Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/

if not ...please do that then

*************************************
Try this using your Adaware

2. Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

3. Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list

4. Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window

1. In the ‘General’ window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the ‘Scanning’ button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file
· Under ‘Click here to select drives + folders’, choose:
· All of your hard drives

3. Click on the ‘Advanced’ button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information
· Include additional object details

4. Click the ‘Tweak’ button and select:
· Under the ‘Scanning Engine’:
· Unload recognized processes during scanning
· Include basic Ad-aware settings in logfile
· Include additional Ad-aware settings in logfile
· Under the ‘Cleaning Engine’:
· Let Windows remove files in use at next reboot

5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’ and on the next screen choose ‘Activate in-depth Scan’ at the bottom of the page and then choose:
· Use Custom Scanning Options

7. Click ‘Next’ and AdAware will scan your hard drive(s) with the options you have selected.

8. Save the log file when it asks and then click ‘finish’

9. REBOOT
*******************************

Then post another log.

frustrateduser

Jun 28 2004, 04:09 AM

Hey,

I ran into problems when you asked me to check the box beside A:...it said that it was not accessible

Also at the end, where I deleted the selected files, it said I could not delete one file until rebooting, I think the file was cwinn32/2.01.00.dll or something like that...

Here is the log you asked me to save:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, June 27, 2004 11:38:45 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R323 20.06.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R323 20.06.2004
Internal build : 255
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1263754 Bytes
Signature data size : 1243301 Bytes
Reference data size : 20389 Bytes
Signatures total : 27644
Target categories : 10
Target families : 505

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:64 %
Total physical memory:589280 kb
Available physical memory:372044 kb
Total page file size:1439800 kb
Available on page file:1177740 kb
Total virtual memory:2097024 kb
Available virtual memory:2052380 kb
OS:Windows 2000

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result

6-27-2004 11:38:45 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 6-28-2004 3:25:46 AM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:13 AM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:17 AM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 6/19/2003 7:05:04 PM

#:4 [lsass.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:17 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 5.00.2195.6902
ProductVersion : 5.00.2195.6902
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
OriginalFilename : lsasrv.dll and lsass.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/28/2004 3:30:34 AM
Last modified : 2/25/2004 11:59:07 PM

#:5 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:22 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 12/7/1999 12:00:00 PM

#:6 [spoolsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:22 AM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
OriginalFilename : spoolss.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 1/6/2000 4:27:38 AM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 6/19/2003 7:05:04 PM

#:7 [defwatch.exe]
FilePath : C:\Program Files\NavNT\
ThreadCreationTime : 6-28-2004 3:26:23 AM
BasePriority : Normal
FileSize : 32 KB
FileVersion : 7, 51, 0, 1
ProductVersion : 7, 51, 0, 1
Copyright : Copyright
CompanyName : Symantec Corporation
FileDescription : Virus Definition Daemon
InternalName : DefWatch
OriginalFilename : DefWatch.exe
ProductName : Norton AntiVirus
Created on : 12/22/2000 11:51:00 AM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 12/22/2000 11:51:00 AM

#:8 [svchost.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-28-2004 3:26:23 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 12/7/1999 12:00:00 PM

#:9 [hpzstatn.exe]
FilePath : C:\WINNT\System32\spool\drivers\w32x86\
ThreadCreationTime : 6-28-2004 3:26:24 AM
BasePriority : Normal
FileSize : 502 KB
FileVersion : 1.14.5000
ProductVersion : 1.14.5000
Copyright : Copyright 1999
CompanyName : Hewlett-Packard Company
FileDescription : DJStatusServer Module
InternalName : DJSTATUSSERVER
OriginalFilename : DJSTATUSSERVER.EXE
ProductName : DJStatusServer Module
Created on : 8/4/2000 4:02:40 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 8/4/2000 4:02:40 PM

#:10 [regsvc.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:26 AM
BasePriority : Normal
FileSize : 66 KB
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
OriginalFilename : REGSVC.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 3/23/2004 1:48:41 AM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 6/19/2003 7:05:04 PM

#:11 [mstask.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:27 AM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
Copyright : Copyright © Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 3/23/2004 1:47:52 AM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 6/19/2003 7:05:04 PM

#:12 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ThreadCreationTime : 6-28-2004 3:26:31 AM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
Copyright : Copyright © Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 3/23/2004 1:49:28 AM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 6/19/2003 7:05:04 PM

#:13 [mspmspsv.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:32 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.01.00.3055
ProductVersion : 7.01.00.3055
Copyright : Copyright © Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : WMDM PMSP Service
InternalName : MSPMSPSV.EXE
OriginalFilename : MSPMSPSV.EXE
ProductName : Microsoft ® DRM
Created on : 6/26/2004 5:38:44 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 5/1/2001 9:06:22 PM

#:14 [svchost.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:26:32 AM
BasePriority : Normal
FileSize : 7 KB
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 12/7/1999 12:00:00 PM
Last accessed : 6/28/2004 3:38:45 AM
Last modified : 12/7/1999 12:00:00 PM

#:15 [explorer.exe]
FilePath : C:\WINNT\
ThreadCreationTime : 6-28-2004 3:27:13 AM
BasePriority : Normal
FileSize : 237 KB
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows ® 2000 Operating System
Created on : 3/23/2004 1:45:40 AM
Last accessed : 6/28/2004 2:45:18 AM
Last modified : 6/19/2003 7:05:04 PM

#:16 [msxmidi.exe]
FilePath : C:\WINNT\system32\services\
ThreadCreationTime : 6-28-2004 3:28:55 AM
BasePriority : Normal
FileSize : 28 KB
Created on : 6/26/2004 10:44:08 PM
Last accessed : 6/28/2004 3:28:58 AM
Last modified : 6/26/2004 5:54:12 PM

#:17 [hpha1mon.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-28-2004 3:28:57 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 2,2,25
ProductVersion : 2,2,25
Copyright : Copyright © 1999
CompanyName : Hewlett-Packard
FileDescription : hpha1mon
InternalName : hpha1mon
OriginalFilename : hpha1mon.exe
ProductName : hp photosmart
Created on : 8/4/2000 4:02:48 PM
Last accessed : 6/28/2004 3:28:27 AM
Last modified : 8/4/2000 4:02:48 PM

#:18 [directcd.exe]
FilePath : C:\PROGRA~1\ZipCD\
ThreadCreationTime : 6-28-2004 3:28:57 AM
BasePriority : Normal
FileSize : 1100 KB
FileVersion : 3.01d (177)
ProductVersion : 3.01d (177)
Copyright : Copyright © 1996-2000 Adaptec, Inc.
CompanyName : Adaptec
FileDescription : DirectCD Application
InternalName : DirectCD
OriginalFilename : DirectCD.EXE
ProductName : DirectCD
Created on : 9/21/2003 1:46:18 AM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 6/29/2000 10:01:00 AM

#:19 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ThreadCreationTime : 6-28-2004 3:28:57 AM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 6.4
ProductVersion : QuickTime 6.4
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 8/10/2003 4:26:56 PM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 11/5/2003 4:28:21 AM

#:20 [p2p networking.exe]
FilePath : C:\WINNT\System32\P2P Networking\
ThreadCreationTime : 6-28-2004 3:28:57 AM
BasePriority : Normal
FileSize : 469 KB
FileVersion : 1, 24, 0, 70
ProductVersion : 1, 24, 0, 70
Copyright : Copyright
CompanyName : Joltid Ltd.
FileDescription : P2P Networking
InternalName : P2P Networking
OriginalFilename : P2P Networking.exe
ProductName : P2P Networking
Created on : 9/26/2003 5:41:56 AM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 1/19/2004 5:33:20 PM

#:21 [vptray.exe]
FilePath : C:\PROGRA~1\NavNT\
ThreadCreationTime : 6-28-2004 3:28:58 AM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 7.51.00.847
ProductVersion : 7.51.00.847
Copyright : Copyright © Symantec Corporation 1991-2000
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus
ProductName : Norton AntiVirus
Created on : 12/22/2000 11:51:00 AM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 12/22/2000 11:51:00 AM

#:22 [webrebates0.exe]
FilePath : C:\Program Files\Web_Rebates\
ThreadCreationTime : 6-28-2004 3:28:58 AM
BasePriority : Normal
FileSize : 48 KB
Created on : 6/9/2004 8:31:26 PM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 6/9/2004 8:31:26 PM

#:23 [ncaym1qc.exe]
FilePath : C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\
ThreadCreationTime : 6-28-2004 3:28:59 AM
BasePriority : Normal
FileSize : 228 KB
Created on : 6/27/2004 12:02:32 AM
Last accessed : 6/28/2004 3:28:13 AM
Last modified : 6/27/2004 12:02:32 AM

#:24 [wcmdmgr.exe]
FilePath : C:\WINNT\wt\updater\
ThreadCreationTime : 6-28-2004 3:29:00 AM
BasePriority : Idle
FileSize : 148 KB
FileVersion : 1.6.2.3
ProductVersion : 1.6.2.3
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : WildTangent Updater Service
OriginalFilename : wcmdmgr.exe
ProductName : WildTangent Updater Service
Created on : 6/21/2004 5:58:49 PM
Last accessed : 6/28/2004 2:40:27 AM
Last modified : 3/12/2004 7:53:48 PM

#:25 [mhahelph.exe]
FilePath : C:\WINNT\system32\iyus\
ThreadCreationTime : 6-28-2004 3:29:00 AM
BasePriority : Normal
FileSize : 55 KB
Created on : 6/28/2004 3:28:59 AM
Last accessed : 6/28/2004 3:28:59 AM
Last modified : 4/28/2004 10:40:59 AM

#:26 [dsfrhook.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:29:00 AM
BasePriority : Normal
FileSize : 200 KB
Created on : 6/27/2004 12:33:18 AM
Last accessed : 6/28/2004 3:28:26 AM
Last modified : 6/27/2004 12:33:04 AM

#:27 [hphipm07.exe]
FilePath : C:\WINNT\System32\
ThreadCreationTime : 6-28-2004 3:29:01 AM
BasePriority : Normal
FileSize : 152 KB
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 9/16/2003 3:16:49 AM
Last accessed : 6/28/2004 2:40:29 AM
Last modified : 10/11/2000 5:20:34 PM

#:28 [createcd.exe]
FilePath : C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\
ThreadCreationTime : 6-28-2004 3:29:02 AM
BasePriority : Normal
FileSize : 256 KB
FileVersion : 4.02d (292)
ProductVersion : 4.02d (292)
Copyright : Copyright © 1996-2000 Adaptec, Inc.
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
OriginalFilename : createcd.exe
ProductName : Easy CD Creator
Created on : 9/21/2003 1:45:35 AM
Last accessed : 6/28/2004 3:28:14 AM
Last modified : 6/30/2000 8:38:00 AM

#:29 [weather.exe]
FilePath : C:\Program Files\AWS\WeatherBug\
ThreadCreationTime : 6-28-2004 3:29:02 AM
BasePriority : Normal
FileSize : 760 KB
FileVersion : 5, 5, 0, 0
ProductVersion : 5, 5, 0, 0
Copyright : Copyright
CompanyName : AWS Convergence Technologies, Inc.
FileDescription : WeatherBug
InternalName : Desktop Weather
OriginalFilename : WeatherBug.exe
ProductName : AWS, Inc.WeatherBug
Created on : 6/22/2004 1:54:41 PM
Last accessed : 6/28/2004 3:28:12 AM
Last modified : 6/2/2004 3:49:20 PM

#:30 [sp2cconf.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:29:04 AM
BasePriority : Normal
FileSize : 92 KB
Created on : 6/27/2004 12:33:18 AM
Last accessed : 6/28/2004 3:28:37 AM
Last modified : 6/27/2004 12:33:04 AM

#:31 [inetsvc.exe]
FilePath : C:\PROGRA~1\INTERN~2\
ThreadCreationTime : 6-28-2004 3:29:08 AM
BasePriority : Normal
FileSize : 20 KB
FileVersion : 4, 6, 6, 0
ProductVersion : 4, 6, 6, 0
Copyright : Copyright
FileDescription : inetsvc
InternalName : inetsvc
OriginalFilename : inetsvc
ProductName : inetsvc
Created on : 4/18/2004 9:45:44 PM
Last accessed : 6/28/2004 3:29:08 AM
Last modified : 4/18/2004 9:45:44 PM

#:32 [zcsapiw.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:29:16 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.00.0001
ProductVersion : 5.00.0001
CompanyName : thunderdome
InternalName : rico
OriginalFilename : rico.exe
ProductName : builder
Created on : 6/28/2004 3:29:13 AM
Last accessed : 6/28/2004 3:29:13 AM
Last modified : 6/14/2004 4:34:02 PM

#:33 [abl3.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:29:27 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 6/27/2004 12:33:06 AM
Last accessed : 6/28/2004 2:39:44 AM
Last modified : 6/27/2004 12:33:06 AM

#:34 [iei1nke7.exe]
FilePath : C:\WINNT\system32\
ThreadCreationTime : 6-28-2004 3:29:28 AM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 1.00
ProductVersion : 1.00
InternalName : Kern32
OriginalFilename : Kern32.exe
ProductName : Kern32
Created on : 6/27/2004 12:33:06 AM
Last accessed : 6/28/2004 2:39:49 AM
Last modified : 6/27/2004 12:33:06 AM

#:35 [webrebates1.exe]
FilePath : C:\Program Files\Web_Rebates\
ThreadCreationTime : 6-28-2004 3:29:30 AM
BasePriority : Normal
FileSize : 284 KB
Created on : 6/9/2004 8:31:39 PM
Last accessed : 6/28/2004 2:41:00 AM
Last modified : 6/9/2004 8:31:39 PM

#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 6-28-2004 3:31:48 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 3:14:40 PM
Last accessed : 6/28/2004 3:31:48 AM
Last modified : 8/29/2002 3:14:40 PM

#:37 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 6-28-2004 3:35:46 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/22/2004 11:49:07 PM
Last accessed : 6/28/2004 3:34:03 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

ClearSearch Object recognized!
Type : File
Data : clrschp071.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 76 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : Clear Search
FileDescription : Loader
InternalName : Loader
OriginalFilename : Loader.exe
ProductName : Loader
Created on : 8/20/2003 6:11:00 PM
Last accessed : 6/28/2004 3:39:25 AM
Last modified : 8/20/2003 6:11:00 PM

ClearSearch Object recognized!
Type : File
Data : clrschp072.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 76 KB
FileVersion : 1, 0, 0, 3
ProductVersion : 1, 0, 0, 3
Copyright : Copyright
CompanyName : Clear Search
FileDescription : Loader
InternalName : Loader
OriginalFilename : Loader.exe
ProductName : Loader
Created on : 8/20/2003 6:11:00 PM
Last accessed : 6/28/2004 3:39:25 AM
Last modified : 8/20/2003 6:11:00 PM

PeopleOnPage Object recognized!
Type : File
Data : may17_loader.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 72 KB
Created on : 5/17/2004 4:57:18 PM
Last accessed : 6/28/2004 3:39:25 AM
Last modified : 5/17/2004 4:57:18 PM

WhenU Object recognized!
Type : File
Data : saveinstcssm.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 387 KB
FileVersion : 2, 5, 4, 1
ProductVersion : 2, 5, 4, 1
Copyright : Copyright 2000
CompanyName : WhenU.com, Inc.
FileDescription : Save! Setup
InternalName : SaveInstCsSm
OriginalFilename : SaveInstCsSm.exe
ProductName : Save! Setup
Created on : 12/10/2003 7:02:50 PM
Last accessed : 6/28/2004 3:10:52 AM
Last modified : 12/10/2003 7:02:50 PM

TurboDownload Object recognized!
Type : File
Data : setup233.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 192 KB
Created on : 12/5/2003 11:11:04 PM
Last accessed : 6/28/2004 3:39:25 AM
Last modified : 12/5/2003 11:11:04 PM

PeopleOnPage Object recognized!
Type : File
Data : sys_ai_client_loader.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 68 KB
Created on : 2/25/2004 4:36:32 PM
Last accessed : 6/28/2004 3:39:25 AM
Last modified : 2/25/2004 4:36:32 PM

eUniverse Object recognized!
Type : File
Data : updaterinstall_112.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 90 KB
Created on : 12/3/2003 9:51:00 PM
Last accessed : 6/28/2004 3:39:26 AM
Last modified : 12/3/2003 9:51:00 PM

BargainBuddy Object recognized!
Type : File
Data : wmedia_bbi8015.exe
Category : Data Miner
Comment :
Object : C:\
FileSize : 191 KB
Created on : 5/2/2003 8:17:56 PM
Last accessed : 6/28/2004 3:39:26 AM
Last modified : 5/2/2003 8:17:56 PM

MemoryWatcher Object recognized!
Type : File
Data : memwatcher2.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Default User\My Documents\Data\Data\
FileSize : 536 KB
Created on : 3/4/2004 6:56:53 AM
Last accessed : 6/28/2004 3:39:31 AM
Last modified : 3/21/2004 5:42:54 PM

MemoryWatcher Object recognized!
Type : File
Data : memwatcher2.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Default User\My Documents\Data\
FileSize : 536 KB
Created on : 3/4/2004 6:56:36 AM
Last accessed : 6/28/2004 3:39:32 AM
Last modified : 3/21/2004 5:42:54 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@276[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/9/2003 9:57:44 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/9/2003 9:57:44 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@2o7[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\
FileSize : 2 KB
Created on : 8/13/2003 11:08:12 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/13/2003 11:08:21 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@accumail[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/6/2003 4:30:34 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/7/2003 3:34:46 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ad-flow[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/15/2003 10:20:52 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/15/2003 10:20:52 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ad-logics[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/27/2003 10:34:44 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/27/2003 10:34:45 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@addynamix[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/5/2003 9:54:02 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/5/2003 9:54:02 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@adnetintads.valuead[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/22/2003 10:11:30 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/22/2003 10:11:30 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ads.adsag[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/26/2003 11:18:36 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/26/2003 11:19:34 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ads.specificpop[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/5/2003 1:01:25 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/5/2003 1:01:25 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@adserv.internetfuel[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/24/2003 12:18:54 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/8/2003 11:56:38 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@advertising[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 8:36:10 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/9/2003 9:57:47 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@atdmt[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 10:57:04 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/8/2003 10:57:04 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@banner.-- Look for another playground --delrio[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/31/2003 3:19:38 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/14/2003 2:01:18 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@banner.-- Look for another playground --tropez[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/31/2003 3:19:59 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/14/2003 2:03:07 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@bfast[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/28/2003 11:48:23 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/31/2003 9:00:34 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@bluestreak[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 4:26:32 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 9/7/2003 4:26:32 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@-- Look for another playground --delrio[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/14/2003 2:01:18 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/14/2003 2:01:18 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@-- Look for another playground --tropez[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/14/2003 2:03:07 AM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/14/2003 2:03:07 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@centrport[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/17/2003 8:40:01 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/17/2003 8:40:01 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@cgi-bin[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/21/2003 5:18:40 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 7/21/2003 5:18:40 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@cgi-bin[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/5/2003 8:00:38 PM
Last accessed : 6/28/2004 3:39:55 AM
Last modified : 8/5/2003 8:00:38 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@cms[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\
FileSize : 1 KB
Created on : 8/22/2003 8:08:07 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 8/22/2003 8:08:07 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@doubleclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/26/2003 1:49:46 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 7/26/2003 1:50:20 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@edge.ru4[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 4:59:54 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/7/2003 9:15:06 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ehg-bskyb.hitbox[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/1/2003 1:53:47 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/1/2003 2:07:07 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ehg-dig.hitbox[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 1:41:18 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/8/2003 1:41:18 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ehg-rr.hitbox[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/15/2003 2:18:00 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 8/15/2003 2:18:00 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@euniverseads[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/15/2003 1:42:33 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 8/15/2003 1:42:33 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@fastclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 10:00:52 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/8/2003 10:00:52 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@fastclick[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/5/2003 8:46:49 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 8/17/2003 3:28:57 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@gator[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/31/2003 10:57:07 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 8/31/2003 10:57:08 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@hitbox[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 1:41:18 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/8/2003 1:41:18 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/9/2003 12:31:35 AM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 9/9/2003 12:31:35 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@mediatrack.revenue[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/30/2003 9:45:16 PM
Last accessed : 6/28/2004 3:39:56 AM
Last modified : 7/30/2003 9:45:16 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@object.passthison[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 4:02:37 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 9/7/2003 4:02:37 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@peel[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 9:27:48 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 9/7/2003 9:27:48 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@pointroll[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/24/2003 10:22:22 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 7/24/2003 10:24:17 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@qksrv[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/26/2003 2:05:16 AM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 8/17/2003 3:28:23 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@questionmarket[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/7/2003 2:31:53 AM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 9/7/2003 2:31:54 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@realmedia[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/31/2003 12:26:58 AM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 7/31/2003 12:26:58 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@revenue[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/30/2003 9:45:16 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 7/30/2003 9:45:16 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@servedby.advertising[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\
FileSize : 2 KB
Created on : 9/7/2003 4:15:27 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 9/9/2003 9:57:47 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@st.sageanalyst[1].txt
Category : Data Miner
Comment : www.searchtraffic.com
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/26/2003 2:24:46 AM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 7/26/2003 2:24:46 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@targetnet[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/31/2003 11:02:23 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 8/31/2003 11:02:23 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@tmpad[2].txt
Category : Data Miner
Comment : www.searchtraffic.com
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 8/21/2003 11:35:48 PM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 8/21/2003 11:35:49 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@trafficmp[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/24/2003 1:19:08 AM
Last accessed : 6/28/2004 3:39:57 AM
Last modified : 9/8/2003 10:56:58 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@tribalfusion[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 8:27:47 PM
Last accessed : 6/28/2004 3:39:58 AM
Last modified : 9/8/2003 8:27:47 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@valueclick[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 7/31/2003 11:26:53 PM
Last accessed : 6/28/2004 3:39:58 AM
Last modified : 7/31/2003 11:26:53 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@www.passthison[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/6/2003 5:53:08 PM
Last accessed : 6/28/2004 3:39:58 AM
Last modified : 9/6/2003 5:53:08 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@z1.adserver[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 8:27:48 PM
Last accessed : 6/28/2004 3:39:59 AM
Last modified : 9/9/2003 10:07:06 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@zedo[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 8:45:51 PM
Last accessed : 6/28/2004 3:39:59 AM
Last modified : 9/8/2003 8:45:51 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@~~local~~[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Cookies\

Created on : 9/8/2003 8:43:37 PM
Last accessed : 6/28/2004 3:39:59 AM
Last modified : 9/8/2003 8:43:37 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@2o7[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\
FileSize : 2 KB
Created on : 6/2/2003 12:51:53 AM
Last accessed : 6/28/2004 3:40:34 AM
Last modified : 6/2/2003 12:52:22 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@accumail[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/2/2003 3:04:59 AM
Last accessed : 6/28/2004 3:40:34 AM
Last modified : 6/7/2003 2:08:18 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@addynamix[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/17/2003 2:09:50 AM
Last accessed : 6/28/2004 3:40:34 AM
Last modified : 4/17/2003 2:09:50 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@adnetintads.valuead[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 5/22/2003 7:23:45 PM
Last accessed : 6/28/2004 3:40:34 AM
Last modified : 5/22/2003 7:23:45 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ads.adsag[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/19/2003 2:09:38 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/19/2003 2:10:11 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@adserv.internetfuel[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/1/2003 7:41:05 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/1/2003 7:41:05 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@advertising[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/7/2003 3:37:42 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 3:37:42 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@ajrotator[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/1/2003 10:28:39 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/1/2003 10:34:34 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@atdmt[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/2/2003 1:18:08 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/2/2003 1:18:08 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@bfast[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/17/2003 1:51:24 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/17/2003 1:51:24 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@bluemountain[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/19/2003 2:09:36 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/19/2003 2:09:36 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@bluestreak[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 5/12/2003 12:59:00 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 5/12/2003 12:59:00 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@counter14.-- The nicest hobby on Earth ;) --tracker[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/7/2003 6:56:25 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 6:56:25 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@counter3.-- The nicest hobby on Earth ;) --tracker[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/7/2003 6:27:52 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 6:27:52 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@domainsponsor[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 5/10/2003 11:15:07 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 5/10/2003 11:15:07 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@doubleclick[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/7/2003 3:37:42 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 3:44:12 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@edge.ru4[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 5/22/2003 2:05:25 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 3:44:13 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@fastclick[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/17/2003 8:06:41 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/17/2003 8:07:17 PM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@gator[2].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 4/18/2003 2:20:01 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 4/18/2003 2:20:01 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@landing.domainsponsor[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 5/10/2003 11:15:06 AM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 5/10/2003 11:15:06 AM

Tracking Cookie Object recognized!
Type : File
Data : luther thomas@mediaplex[1].txt
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Luther Thomas\Local Settings\Temp\Cookies\

Created on : 6/7/2003 3:45:34 PM
Last accessed : 6/28/2004 3:40:35 AM
Last modified : 6/7/2003 3:45:34 P

frustrateduser

Jun 28 2004, 04:16 AM

hey,

Was confused a little by your last post, didn't know if you wanted the ad-aware or hijackthis log...so here is the hijack this one...

Logfile of HijackThis v1.97.7
Scan saved at 12:17:12 AM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\services\msxmidi.exe
C:\WINNT\System32\hpha1mon.exe
C:\PROGRA~1\ZipCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\WINNT\system32\mobsync.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
C:\WINNT\system32\dsfrhook.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\sp2cconf.exe
C:\WINNT\system32\iyus\bghbmfhc.exe
C:\WINNT\System32\HPHipm07.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\WINNT\system32\mcfg32c.exe
C:\WINNT\system32\Iei1NKe7.exe
C:\WINNT\system32\Ibd35YW.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\System32\hpha1mon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZipCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iyus] C:\WINNT\system32\iyus\bghbmfhc.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Kmt3.exe
O4 - HKLM\..\Run: [03nP37e] dsfrhook.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [mcfg32c] C:\WINNT\system32\mcfg32c.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [H04FRXKtQ] sp2cconf.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.7034143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

thanks,

LoPhatPhuud

Jun 28 2004, 04:57 AM

First:
I recommend that you uninstall P2P Networking through Add/Remove Programs.
If/when asked whether you also want to remove Altnet components, say 'Yes'.

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.

Subsequently remove the P2P Networking folder in C:\Windows\System32, if still there.

Second:
Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

Third:
Hi, you have a Peper infection

Download the removal tool :
http://computercops.us/downloads-file-330.html or
http://downloads.subratam.org/PeperFix.exe

IMPORTANT: YOU MUST BE ONLINE WHEN RUNNING IT and let is have access to pass the firewall.

!!! Please run this twice with a reboot in between.

Fourth:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HijackThis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/

F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [iyus] C:\WINNT\system32\iyus\bghbmfhc.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [58Y9XRW533ENPX] C:\WINNT\system32\Kmt3.exe
O4 - HKLM\..\Run: [03nP37e] dsfrhook.exe
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe -invisible
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [mcfg32c] C:\WINNT\system32\mcfg32c.exe
O4 - HKCU\..\Run: [H04FRXKtQ] sp2cconf.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

Close all windows except HijackThis and click Fix checked.

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINNT\system32\iyus\ <-- delete folder
C:\Program Files\Web_Rebates\ <-- delete folder
C:\WINNT\system32\services\msxmidi.exe
C:\documents and settings\luther thomas.luther-10qa0ehh\local Settings\temp\NcAYM1QC.exe
C:\WINNT\system32\dp-him.exe
dsfrhook.exe <-- c:\windows or c:\windows\system32\
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\WINNT\system32\mcfg32c.exe
sp2cconf.exe <-- c:\windows or c:\windows\system32\

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode.

Run HiJackThis again and post a new log in this thread.

frustrateduser

Jun 28 2004, 01:13 PM

hey,

I ran into a few problems while trying to fix my computer...first...once I did the hijack this log (not sure if it is possible to open the same one again, or do not know how to do it, so i just did a new scan, and a few of the objects changed a bit, such as homepage etc....I still deleted them because they were exactly the same up until the last letter or so)..

Also, I was not able to locate a few of the files in step 4...

04 - HKLM /../Run:[58y9xrw533enpx] C:/WinnT/system32/kmt3.exe
04- HKLM/../Run: [mcfg32c] C:/winnt/system32/mcfg32c.exe
016 - DPF: {1d6711c8-7154-40bb-...cbf} (Web P2P installer)

I was not able to delete the last four things after bringing up safe mode either...

and when I tried to get to my old thread, I get the following message: entitled, "My HiJackthis log"

Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 65536 bytes) in /home/www/web1/html/forum/sources/Drivers/mySQL.php on line 199

thanks man...

frustrateduser

Jun 28 2004, 01:18 PM

here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 9:07:03 AM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hpha1mon.exe
C:\PROGRA~1\ZipCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\system32\adptilse.exe
C:\WINNT\system32\services\msxmidi.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\nwastor.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\System32\HPHipm07.exe
C:\WINNT\system32\poolsvs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\system32\services\2.01.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\System32\hpha1mon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZipCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [03nP37e] adptilse.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [poolsvs] C:\WINNT\system32\poolsvs.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [H04FRXKtQ] nwastor.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.7034143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

sorry, I didn't include it in the last post...

frustrateduser

Jun 28 2004, 01:21 PM

Just came up after about 15 attempts, I'll get you the replies here....

hey,

I ran into a few problems while trying to fix my computer...first...once I did the hijack this log (not sure if it is possible to open the same one again, or do not know how to do it, so i just did a new scan, and a few of the objects changed a bit, such as homepage etc....I still deleted them because they were exactly the same up until the last letter or so)..

Also, I was not able to locate a few of the files in step 4...

04 - HKLM /../Run:[58y9xrw533enpx] C:/WinnT/system32/kmt3.exe
04- HKLM/../Run: [mcfg32c] C:/winnt/system32/mcfg32c.exe
016 - DPF: {1d6711c8-7154-40bb-...cbf} (Web P2P installer)

I was not able to delete the last four things after bringing up safe mode either...

and when I tried to get to my old thread, I get the following message: entitled, "My HiJackthis log"

Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 65536 bytes) in /home/www/web1/html/forum/sources/Drivers/mySQL.php on line 199
here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 9:07:03 AM, on 6/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hpha1mon.exe
C:\PROGRA~1\ZipCD\directcd.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\system32\adptilse.exe
C:\WINNT\system32\services\msxmidi.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\nwastor.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\WINNT\System32\HPHipm07.exe
C:\WINNT\system32\poolsvs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://-- The nicest hobby on Earth ;) --ocean.biz/in/index.php
F1 - win.ini: run=C:\WINNT\system32\services\msxmidi.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\system32\services\2.01.00.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [HPHA1MON] C:\WINNT\System32\hpha1mon.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ZipCD\directcd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NcAYM1QC.exe] C:\documents and settings\luther thomas.luther-10qa0ehh\local settings\temp\NcAYM1QC.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [03nP37e] adptilse.exe
O4 - HKLM\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - HKLM\..\Run: [poolsvs] C:\WINNT\system32\poolsvs.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ZipCD\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [SpywareGuard] C:\WINNT\system32\deinst_qfe001.exe
O4 - HKCU\..\Run: [H04FRXKtQ] nwastor.exe
O4 - HKCU\..\Run: [xpsystem] C:\WINNT\system32\services\msxmidi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://-- The nicest hobby on Earth ;) --ocean.biz/in/index.php
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8049.7034143519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

thanks,