virus DOWNLOADER.MSCACHE detected

Computing.Net > Forums > Security and Virus > virus DOWNLOADER.MSCACHE detected

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

virus DOWNLOADER.MSCACHE detected

Name: rcotner
Date: January 18, 2004 at 16:47:02 Pacific
OS: Windows XP
CPU/Ram: Hewlett Packard 1.8 GHz p

Comment:

Hello, I am running Windows XP and have currently run an online virus scan from SYMANTEC SECURITY CHECK SITE. I ran this check just out of curiosity because about a week ago I had a window pop up on my screen saying my system may be infected. Do I want to run a scan to check for possible trojan horses or viruses. This pop up window was from SYMANTEC SECURITY CHECK. I figured it was a secure site and chose to run the online virus scan. After the scan was complete, it showed that I had 2 files infected with the DOWNLOADER.MSCACHE virus. The files were C:\WINDOWS\xkwucroa.dll and C:\WINDOWS\Downloaded Program Files\ezrvhygv.dll I searched the SYMANTEC SECURITY RESPONSE WEB SITE for the DOWNLOADER.MSCache virus and the removal instructions. After following the instructions for removal, I discovered that I was unable to remove this virus since I was not running the Symantec Norton Virus detection/Removal program. I currently use MCAFFEE VIRUS DETECTION/REMOVAL. After running a scan with MCAFFEE it did not detect this or any other virus/trojan. I then went back to the START>SEARCH>and typed in the xkwucroa.dll file and it was found under files and folders. From there I deletd the file. I'm not sure if that was the proper thing to do?? Currently my system seems to be running normal after deleting that file. I ran another online virus scan from SYMANTEC and it showed that I have 1 file infected. This is the file: C:\WINDOWS\Downloaded Program Files\ezrvhygv.dll is infected with Downloader.MSCache According to the SYMANTEC SECURITY RESPONSE SITE the removal procedure is the same as the above mentioned infected file. I did a search for the infected file on the hard drive but it turned up NO RESULTS! I then did a search of C:\WINDOWS\Downloaded Program Files\ezrvhygv.dll in the REGISTRY and it was found there. My question is this: Can I delete this from the registry or is this a file that is needed to run certain programs. I have since done a search on my laptop (which also has windows XP) for both of these files and neither one is found in the regular hard drive (C:) search or the registry search (MY COMPUTER). Any thoughts or help would be greatly appreciated. Thanks, Ron

Sponsored Link

Ads by Google

Response Number 1

Name: Valerie (by Garibaldi)
Date: January 18, 2004 at 18:01:30 Pacific

Reply:

Try this one
http://www.antivirus.vt.edu/alerts/downloader.mscache.asp
Good luck
V...

Response Number 2

Name: iceblue
Date: January 19, 2004 at 05:53:28 Pacific

Reply:

We can be sure of deleting the correct files from your system and removing the appropriate entries from the registry, if we can see an entire HijackThis log.
It will show us those running processes and all the registry entries that are related to infections..
Seeing what they are and where they are in the log are key pointers to resolving all the problems.
Download HijackThis 1.97.0.7 new version http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip/extract all�and double click on hijackthis.exe.
� Make sure that you extract HijackThis to its own folder, and not to a \temp folder.
� If you have anything disabled by MSConfig or another startup manager, please re-enable it before scanning. Run in normal startup mode.
Run HijackThis, Press Scan, and wait,
Save the log, (the �scan� button changes to �save log�)
Edit>select All > copy and paste its contents here.
** Don't fix anything yet. Most of the log is harmless or essential for your system or for the log reader to resolve the problem**
Post the full log including header info in reply.
It will be reviewed by someone here.
iceblue

Response Number 3

Name: rcotner
Date: January 19, 2004 at 12:02:06 Pacific

Reply:

Iceblue,
Thanks for the response. Here is a copy a my HIJACKTHIS LOG. I'll check back later for any updates. Thanks, Ron
Logfile of HijackThis v1.97.7
Scan saved at 2:56:24 PM, on 1/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17707a8aab784966c206/netzip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Response Number 4

Name: iceblue
Date: January 19, 2004 at 14:04:29 Pacific

Reply:

� Make sure that you extract HijackThis to its own folder, and not to a \temp folder.
You can delete those references from the registry.
(And there are some minor things to fix - more on this later)

Response Number 5

Name: rcotner
Date: January 19, 2004 at 15:01:26 Pacific

Reply:

Iceblue,
I have HIJACKTHIS in it's own folder. What are you saying about deleting those references from the registry???
I'll wait your next post. Thanks, Ron

intel pentium IV motherboard driver download download favorites fake virus download	wildtangent virus winnt32.exe winnt32.exe
See More

Response Number 6

Name: rcotner
Date: January 19, 2004 at 15:06:57 Pacific

Reply:

Iceblue,
OOPS! I just realized the HIJACKTHIS is in a TEMP folder. Question from a novice computer user. How do I move this HIJACKTHIS TO IT'S OWN LOCATION?? Thanks, Ron

Response Number 7

Name: iceblue
Date: January 19, 2004 at 16:44:35 Pacific

Reply:

After re-reading the notes, the procedure from here is
Disable system restore and reboot,
Shut down your internet connection and,
Click Start, and then click Run.
Type:
regsvr32 /u "C:\WINDOWS\Downloaded Program Files\ezrvhygv.dll"
Click OK.
At this point, an Internet Explorer window may appear.
Close the window. Ignore any error messages.
As long as HjT is moved from this folder;
Local Settings\Temp\Temporary Directory 6, to a permanent folder on the hard drive, then that is fine.
Rescan with HjT and fix checked the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17707a8aab784966c206/netzip/RdxIE601.cab
Reboot into safe mode and delete
C:\WINDOWS\Downloaded Program Files\ezrvhygv.dll
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
Reboot and run one or more online AV scans:
RAV
Housecall
Activescan
Unless you need or want Wild Tangent for games etc you can remove that as well through Add/Remove in the Control Panel
Follow up on any adware placed on your system by running
Spybot
AdAware
Re-enable system restore
Rescan with HjT and repost a new log to check it all.
hth
iceblue

Response Number 8

Name: rcotner
Date: January 19, 2004 at 17:16:23 Pacific

Reply:

Iceblue,
Thanks for the response. I will follow your directions and post back here hopefully tonight. Thanks for your time and help. Ron

Response Number 9

Name: rcotner
Date: January 19, 2004 at 19:32:00 Pacific

Reply:

Iceblue,
I just completed the RAV on line AV scan and here are the results:Scan started at 1/19/2004 8:54:30 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PVRJDD4E\exitpop[1].htm->(SCRIPT0001) - JS/Noclose* -> Infected
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\PVRJDD4E\exitpop[1].htm->(SCRIPT0001) - JS/Noclose* -> Infected
C:\Program Files\WildTangent\Games\GameChannel\War Games Virtual Warfare Demo\localver\game640x480.htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\SYSTEM32\oqdnkvfx.dll - Trojan:Win32/Golid.A -> Infected
C:\WINDOWS\SYSTEM32\randomiser.exe - Trojan:Win32/TalkStocks.dam#2 -> Infected
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PVRJDD4E\exitpop[1].htm->(SCRIPT0001) - JS/Noclose* -> Infected
Scanned
============================
Objects: 95569
Directories: 7532
Archives: 6501
Size(Kb): 813337
Infected files: 6
Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 3409
WOW!! I will wait your next post for guidance on what to do next. I am going to hold off on running ad aware till I hear from you. I have to head for work now 12-8 shift. YUK! I will check back in the morning for any updates. Thanks Ron

Response Number 10

Name: iceblue
Date: January 19, 2004 at 20:30:57 Pacific

Reply:

keep going...
do the Spybot and AdAware...
they'll minimise the problems for next time around....
When you done them,
then go get
Spywareblaster
SpywareGuard
which will help keep stuff from ever getting on your system

Response Number 11

Name: rcotner
Date: January 20, 2004 at 05:28:30 Pacific

Reply:

Iceblue,
I just ran an AD-AWARE SCAN and here are the results:
I am going to download the SPYBOT and run that too. I will post the results here. Thanks, Ron
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, January 20, 2004 8:08:54 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R247 10.01.2004
______________________________________________________
Reffile status:
=========================
Reference file loaded:
Reference Number : 01R247 10.01.2004
Internal build : 174
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 776519 Bytes
Signature data size : 761540 Bytes
Reference data size : 14915 Bytes
Signatures total : 17322
Target categories : 10
Target families : 395
Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:61 %
Total physical memory:523808 kb
Available physical memory:317296 kb
Total page file size:1277420 kb
Available on page file:1137732 kb
Total virtual memory:2097024 kb
Available virtual memory:2057664 kb
OS:
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file
Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Play sound if scan produced a result

1-20-2004 8:08:54 AM - Scan started. (Custom mode)
Listing running processes
��
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 1-20-2004 12:50:06 PM
BasePriority : Normal

#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 1-20-2004 12:50:07 PM
BasePriority : High

#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 1-20-2004 12:50:08 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/18/2001 5:36:56 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/18/2001 5:36:56 AM
#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 1-20-2004 12:50:08 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/18/2001 5:36:48 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/29/2002 10:41:26 AM
#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 1-20-2004 12:50:09 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 5:36:58 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/18/2001 5:36:58 AM
#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 1-20-2004 12:50:09 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/18/2001 5:36:58 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/18/2001 5:36:58 AM
#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 1-20-2004 12:50:11 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.exe
ProductName : Microsoft
Created on : 1/7/2004 12:11:08 AM
Last accessed : 1/20/2004 12:50:33 PM
Last modified : 8/29/2002 10:41:24 AM
#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 1-20-2004 12:50:11 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/18/2001 5:36:58 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/18/2001 5:36:58 AM
#:9 [hpsysdrv.exe]
FilePath : C:\windows\system\
ThreadCreationTime : 1-20-2004 12:50:14 PM
BasePriority : Normal
FileSize : 51 KB
FileVersion : 1, 7, 0, 0
ProductVersion : 1, 7, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : hpsysdrv
InternalName : hpsysdrv
OriginalFilename : hpsysdrv.exe
ProductName : hpsysdrv
Created on : 11/7/2001 1:51:46 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/7/1998 5:04:38 PM
#:10 [kbd.exe]
FilePath : C:\HP\KBD\
ThreadCreationTime : 1-20-2004 12:50:14 PM
BasePriority : High
FileSize : 60 KB
FileVersion : 1.0.2.0
ProductVersion : 1.0.2.0
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : KBD EXE
InternalName : KBD EXE
OriginalFilename : Kbd.exe
ProductName : Hewlett-Packard Company KBD EXE
Created on : 11/7/2001 1:57:19 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 7/6/2001 10:56:56 PM
#:11 [hpztsb04.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ThreadCreationTime : 1-20-2004 12:50:14 PM
BasePriority : Normal
FileSize : 192 KB
FileVersion : 2,76,0,0
ProductVersion : 2,76,0,0
Copyright : Copyright (c) Hewlett-Packard Company 1999-2001
CompanyName : HP
ProductName : HP DeskJet
Created on : 3/18/2002 10:17:24 PM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/4/2001 2:24:40 AM
#:12 [alogserv.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 36 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019.1
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : Activity Log Server
InternalName : AlogServ
OriginalFilename : AlogServ.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:13 [cmgrdian.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Guardian\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 139 KB
FileVersion : 3.00.1038.0
ProductVersion : 3.00.1038.0
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : McAfee Guardian Agent
InternalName : CMGrdian
OriginalFilename : CMGrdian.exe
ProductName : McAfee Windows Guardian
Created on : 9/27/2001 8:00:00 AM
Last accessed : 1/20/2004 12:50:16 PM
Last modified : 8/19/2002 8:03:00 AM
#:14 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 0.1.0.1622
ProductVersion : 0.1.0.1622
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealOne Player (32-bit)
Created on : 11/28/2002 12:03:49 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 2/16/2003 1:27:41 AM
#:15 [hphmon03.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 304 KB
FileVersion : 3,3,137
ProductVersion : 3,3,137
Copyright : Copyright (C) 2001
CompanyName : Hewlett-Packard
FileDescription : HPHa3mon
InternalName : HPHa3mon
OriginalFilename : HPHa3mon.exe
ProductName : hp photosmart
Created on : 12/28/2003 4:29:21 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/4/2001 2:24:38 AM
#:16 [hpi_monitor.exe]
FilePath : C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 44 KB
FileVersion : 3.7.0.3
ProductVersion : 3.7.0.3
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : Device Monitor Application
InternalName : HPI_MONITOR
OriginalFilename : HPI_Monitor.exe
ProductName : HP PhotoSmart Software
Created on : 3/18/2002 10:19:34 PM
Last accessed : 1/20/2004 12:50:18 PM
Last modified : 8/9/2001 10:06:46 PM
#:17 [mmtask.exe]
FilePath : C:\Program Files\MusicMatch\MusicMatch Jukebox\
ThreadCreationTime : 1-20-2004 12:50:15 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: (c) <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 11/22/2003 5:09:48 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 12/12/2003 11:55:06 PM
#:18 [ddcman.exe]
FilePath : C:\Program Files\WildTangent\DDC\DDCManager\
ThreadCreationTime : 1-20-2004 12:50:16 PM
BasePriority : Normal
FileSize : 152 KB
FileVersion : 1, 0, 0, 38
Copyright : Copyright 2001
CompanyName : WildTangent
FileDescription : WildTangent DDCManager Module
InternalName : DDCMan
OriginalFilename : DDCMan.exe
ProductName : WildTangent DDCMan Module
Created on : 10/3/2001 3:21:34 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 10/3/2001 3:21:34 AM
#:19 [cookie.exe]
FilePath : C:\Program Files\AnalogX\CookieWall\
ThreadCreationTime : 1-20-2004 12:50:16 PM
BasePriority : Normal
FileSize : 95 KB
Created on : 1/11/2004 6:23:10 PM
Last accessed : 1/20/2004 12:50:16 PM
Last modified : 1/11/2004 6:23:10 PM
#:20 [rulaunch.exe]
FilePath : C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\
ThreadCreationTime : 1-20-2004 12:50:16 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.1113.0
ProductVersion : 1.04.1113.0
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : RuLaunch
InternalName : RuLaunch
OriginalFilename : RuLaunch.exe
ProductName : McAfee Instant Updater
Created on : 9/27/2001 6:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:21 [msbntray.exe]
FilePath : C:\Program Files\Microsoft Broadband Networking\
ThreadCreationTime : 1-20-2004 12:50:17 PM
BasePriority : Normal
FileSize : 428 KB
FileVersion : 2.0.638
ProductVersion : 2.0.638
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Broadband Networking Tray Application
InternalName : MSBNTray.exe
OriginalFilename : MSBNTray.exe
ProductName : Microsoft Broadband Networking Software
Created on : 10/28/2003 10:57:04 PM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 10/28/2003 10:57:04 PM
#:22 [avsynmgr.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:18 PM
BasePriority : Normal
FileSize : 168 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019.1
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : VirusScan Synchronization Service
InternalName : AvSynMgr
OriginalFilename : AvSynMgr.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:23 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 1-20-2004 12:50:18 PM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.13.01.1570
ProductVersion : 5.13.01.1570
Copyright : Copyright
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 15.70
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 15.70
Created on : 9/28/2001 12:49:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 9/28/2001 12:49:00 AM
#:24 [vsstat.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:22 PM
BasePriority : Normal
FileSize : 104 KB
FileVersion : 6.02.3000.1
ProductVersion : 6.02.3000.1
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : VirusScan System Tray
InternalName : VsStat
OriginalFilename : VsStat.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:25 [vshwin32.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:22 PM
BasePriority : Normal
FileSize : 120 KB
FileVersion : 6.02.3000.1
ProductVersion : 6.02.3000.1
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : VirusScan System Scan
InternalName : VshWin32
OriginalFilename : VshWin32.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:26 [hphipm09.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 1-20-2004 12:50:26 PM
BasePriority : Normal
FileSize : 76 KB
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 8/4/2001 2:24:36 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 8/4/2001 2:24:36 AM
#:27 [mcshield.exe]
FilePath : C:\Program Files\Common Files\Network Associates\McShield\
ThreadCreationTime : 1-20-2004 12:50:26 PM
BasePriority : High
FileSize : 220 KB
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 9/27/2001 11:01:00 AM
#:28 [avconsol.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:27 PM
BasePriority : Normal
FileSize : 148 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019
Copyright : Copyright
CompanyName : Network Associates, Inc.
FileDescription : VirusScan Consol
InternalName : AvConsol
OriginalFilename : AvConsol.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:29 [webscanx.exe]
FilePath : C:\Program Files\McAfee\McAfee VirusScan\
ThreadCreationTime : 1-20-2004 12:50:28 PM
BasePriority : Normal
FileSize : 140 KB
FileVersion : 6.02.1019.1
ProductVersion : 6.02.1019.1
Copyright : Copyright
CompanyName : Networks Associates Technologies, Inc.
FileDescription : WebScanX
InternalName : WebScanX
OriginalFilename : WebScanX.exe
ProductName : McAfee VirusScan
Created on : 9/27/2001 11:01:00 AM
Last accessed : 1/20/2004 12:50:06 PM
Last modified : 5/28/2002 11:02:30 AM
#:30 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 1-20-2004 1:08:41 PM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 1/11/2004 12:37:06 AM
Last accessed : 1/20/2004 1:08:41 PM
Last modified : 7/13/2003 3:00:20 AM
Memory scan result :
��
New objects : 0
Objects found so far: 0

Started registry scan
��
Registry scan result :
��
New objects : 0
Objects found so far: 0

Started deep registry scan
��
Deep registry scan result :
��
New objects : 0
Objects found so far: 0

Deep scanning and examining files (C:)
��
Disk scan result for C:\
��
New objects : 0
Objects found so far: 0

Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
��
Hosts file scan result:
��
1 entries scanned.
New objects :0
Objects found so far: 0
8:22:43 AM Scan complete
Summary of this scan
��
Total scanning time :00:13:48:594
Objects scanned :366099
Objects identified :0
Objects ignored :0
New objects :0

Response Number 12

Name: rcotner
Date: January 20, 2004 at 06:14:50 Pacific

Reply:

Iceblue,
Just finished the SPYBOT DOWNLOAD AND SCANNED. Here are the results:
I'LL WAIT YOUR NEXT POST BEFORE RE-ENABLING SYSTEM RESTORE AND RE-SCANNING WITH HJT. What do I do with the results from SPYBOT?? Thanks for your help, Ron
Alexa Related: What's related link (Replace file, nothing done)
C:\WINDOWS\Web\RELATED.HTM
BackWeb lite: File extension link (Registry key, nothing done)
HKEY_CLASSES_ROOT\.bwp
BackWeb lite: File extension link (Registry key, nothing done)
HKEY_CLASSES_ROOT\bwpfile
BackWeb lite: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\BackWeb
BackWeb lite: Interface ( (IBackWebExtension)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0F4FE440-983F-11D0-9B9C-444553540000}
BackWeb lite: Interface ( (IBackWebCommSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDialerSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebGeneralSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDownloadTimeConstraintCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6}
BackWeb lite: Interface ( (IBackWebDownloadTimeConstraint)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6}
BackWeb lite: Interface ( (IBackWebDirectoryEntry)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{0C6E0440-0B50-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel4_2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{025632A0-BCEC-11D1-8B35-00609761C47A}
BackWeb lite: Interface ( (IBackWebDisplaySettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectory)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{15030BC0-0B52-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWeb2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2}
BackWeb lite: Interface ( (IBackWebSetupNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebSetup4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A}
BackWeb lite: Interface ( (IBackWebInfoPakFilesCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3AF78A71-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebOpenInfoPakFile)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3AF78A77-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryTableNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{44230BC0-3105-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWeb)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF355-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannel)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectoryEntryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{5DF6CE40-0B50-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPak4_2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{610141C2-7701-11D1-B042-004095903824}
BackWeb lite: Interface ( (IBackWeb4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{740904E0-0BFB-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebAllInfoPakCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{8131F530-649E-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebItemDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46422-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebStory)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46424-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{AEE96320-2131-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelCollection4)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A}
BackWeb lite: Interface ( (IBackWebApplicationNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPakCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelVariable)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPak)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC}
BackWeb lite: Interface ( (IBackWebGeneralSettings2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2}
BackWeb lite: Interface ( (IBackWebFilterSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000}
BackWeb lite: Interface ( (IBackWebCommunications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{BAD37BC0-2231-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelVariableCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebAllStoryCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9DB46423-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{9132E380-DC21-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebPlayer)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{8028B940-4932-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebAlertSettings)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000}
BackWeb lite: Interface ( (IBackWebFileAccessViaDir)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{608FE360-6FB2-11D1-A885-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryField)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{5B1E13A0-004B-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPakNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectoryNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{41CEBDC0-32C1-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPakFile)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3AF78A74-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebFileAccess)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3AF78A6E-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelTableNotifications)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2F523082-5A0B-11D0-9B9C-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPakDownloadServices)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryFieldCollection)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{1D91D9E0-004B-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebSetup)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDisplaySettings4_2)) (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{001B3F20-D866-11D1-8B4C-00609761C47A}
BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Netscape\Netscape Navigator\Viewers\application/x-iad
BackWeb lite: Netscape viewer (Registry value, nothing done)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview
BackWeb lite: Program directory (Directory, nothing done)
C:\Program Files\BackWeb
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
MyWebSearch: BHO Library (File, nothing done)
C:\Program Files\MyWebSearch\bar\1.bin\mwsbar.dll
MyWebSearch: BHO Library (File, nothing done)
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
WildTangent: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\WildTangent
WildTangent: Program directory (Directory, nothing done)
C:\Program Files\WildTangent
WildTangent: Updater directory (Directory, nothing done)
C:\WINDOWS\wt\updater

--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-10-27 Includes\Dialer.sbi
2003-12-17 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-12-17 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-12-17 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-27 Includes\Tracks.uti
2003-12-10 Includes\Trojans.sbi

Response Number 13

Name: iceblue
Date: January 20, 2004 at 06:25:49 Pacific

Reply:

Select and fix all RED items that Spybot finds.
*check for updates*; and rescan if there is an update.
Reboot when done.
Leave off re-enabling system restore for the moment till we run another HjT scan after that reboot.

Response Number 14

Name: rcotner
Date: January 20, 2004 at 13:12:39 Pacific

Reply:

Iceblue,
I selected and fixed all RED items that SPYBOT found. I checked for updates; and re-scanned. Then RE-BOOTED. I left off system restore and ran another HJT scan and rebooted. Here are the results from my SPYBOT and HJT scan. I'll wait your next to see if there is any further instructions. Thanks, Ron

--- Report generated: 2004-01-20 15:39 ---
Alexa Related: What's related link (Replace file, fixed)
C:\WINDOWS\Web\RELATED.HTM
BackWeb lite: File extension link (Registry key, fixed)
HKEY_CLASSES_ROOT\.bwp
BackWeb lite: File extension link (Registry key, fixed)
HKEY_CLASSES_ROOT\bwpfile
BackWeb lite: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\BackWeb
BackWeb lite: Interface ( (IBackWebExtension)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{0F4FE440-983F-11D0-9B9C-444553540000}
BackWeb lite: Interface ( (IBackWebCommSettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{12473FC5-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDialerSettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{12473FC4-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebGeneralSettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{12473FC3-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDownloadTimeConstraintCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{0D1F7C84-8123-11D0-B5CA-0000B43698D6}
BackWeb lite: Interface ( (IBackWebDownloadTimeConstraint)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{0D1F7C83-8123-11D0-B5CA-0000B43698D6}
BackWeb lite: Interface ( (IBackWebDirectoryEntry)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{0C6E0440-0B50-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel4_2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{025632A0-BCEC-11D1-8B35-00609761C47A}
BackWeb lite: Interface ( (IBackWebDisplaySettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{12473FC6-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectory)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{15030BC0-0B52-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWeb2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{23F43240-F78D-11D0-9A50-00AA004812C2}
BackWeb lite: Interface ( (IBackWebSetupNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2F099AF0-6329-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebSetup4)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3667E7B0-4F28-11D1-8ADB-00609761C47A}
BackWeb lite: Interface ( (IBackWebInfoPakFilesCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3AF78A71-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebOpenInfoPakFile)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3AF78A77-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryTableNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{44230BC0-3105-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWeb)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{53FCF355-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannel)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{53FCF35B-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectoryEntryCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{5DF6CE40-0B50-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPak4_2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{610141C2-7701-11D1-B042-004095903824}
BackWeb lite: Interface ( (IBackWeb4)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{740904E0-0BFB-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebAllInfoPakCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8131F530-649E-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebItemDownloadServices)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{93BF8F00-DBE8-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9DB46422-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebStory)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9DB46424-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel4)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{AEE96320-2131-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelCollection4)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{BCD0C200-69C1-11D1-8AF8-00609761C47A}
BackWeb lite: Interface ( (IBackWebApplicationNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{D0894D60-6C6C-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPakCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC1-5688-11D0-A865-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelVariable)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{FEFCA7F0-6C8E-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPak)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{EB1FFFC2-5688-11D0-A865-0000B43699FC}
BackWeb lite: Interface ( (IBackWebGeneralSettings2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{E01AD640-F87D-11D0-9A50-00AA004812C2}
BackWeb lite: Interface ( (IBackWebFilterSettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{C8CEEEE0-17D6-11D1-96A7-F8E906C10000}
BackWeb lite: Interface ( (IBackWebCommunications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{BAD37BC0-2231-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelVariableCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{A4BC67F0-6C90-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebAllStoryCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9DB46423-FF61-11D0-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannel2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9647FB70-DC0F-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelDownloadServices)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{9132E380-DC21-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebPlayer)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{8028B940-4932-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebAlertSettings)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{72B62B40-17D1-11D1-96A7-F8E906C10000}
BackWeb lite: Interface ( (IBackWebFileAccessViaDir)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{608FE360-6FB2-11D1-A885-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryField)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{5B1E13A0-004B-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebChannelCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{53FCF35A-5323-11D0-A864-0000B43699FC}
BackWeb lite: Interface ( (IBackWebInfoPakNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{4A3666F3-5F2D-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDirectoryNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{41CEBDC0-32C1-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPakFile)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3AF78A74-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebFileAccess)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3AF78A6E-6F14-11D1-A884-0000B43699FC}
BackWeb lite: Interface ( (IBackWebChannelTableNotifications)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2F523082-5A0B-11D0-9B9C-444553540000}
BackWeb lite: Interface ( (IBackWebInfoPakDownloadServices)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2DE07D90-DC04-11D0-A875-0000B43699FC}
BackWeb lite: Interface ( (IBackWebStoryFieldCollection)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{1D91D9E0-004B-11D1-9951-444553540000}
BackWeb lite: Interface ( (IBackWebSetup)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{12473FC7-61A7-11D0-A866-0000B43699FC}
BackWeb lite: Interface ( (IBackWebDisplaySettings4_2)) (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{001B3F20-D866-11D1-8B4C-00609761C47A}
BackWeb lite: Netscape viewer (Registry value, fixed)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Netscape\Netscape Navigator\Viewers\application/x-iad
BackWeb lite: Netscape viewer (Registry value, fixed)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Netscape\Netscape Navigator\Viewers\application/x-bwpreview
BackWeb lite: Program directory (Directory, fixed)
C:\Program Files\BackWeb
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-2165517387-2935130677-2106517767-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3
MyWebSearch: BHO Library (File, fixed)
C:\Program Files\MyWebSearch\bar\1.bin\mwsbar.dll
MyWebSearch: BHO Library (File, fixed)
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
WildTangent: Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\WildTangent
WildTangent: Program directory (Directory, fixed)
C:\Program Files\WildTangent
WildTangent: Updater directory (Directory, fixed)
C:\WINDOWS\wt\updater

--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-10-27 Includes\Dialer.sbi
2003-12-17 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-12-17 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-12-17 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-27 Includes\Tracks.uti
2003-12-10 Includes\Trojans.sbi
HJT SCAN RESULTS:
Logfile of HijackThis v1.97.7
Scan saved at 4:00:30 PM, on 1/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscombroadband.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

Response Number 15

Name: iceblue
Date: January 20, 2004 at 19:11:20 Pacific

Reply:

That log looks clean.
Just the installs of these to go:
Spywareblaster
SpywareGuard
(these will stop parasites from even entering your system)
and the re-enabling of system restore.
If any references to that file persist; run the Spybot 'system internals' scan, and fix them.
[click all the backups in Main Settings first]
You should be clear to go.
hth
iceblue

Response Number 16

Name: rcotner
Date: January 20, 2004 at 19:48:51 Pacific

Reply:

Iceblue,
I will download those in the morning after work (12-8). And then re-enable system restore. Are there any special settings on those 2 items that need to be set before running them or are they good to go just as is from the download?? Thanks again for your help, Ron

Response Number 17

Name: rcotner
Date: January 20, 2004 at 19:51:55 Pacific

Reply:

Iceblue,
One other thing after looking at your last post again. What are you referring to here??
[click all the backups in Main Settings first]
Thanks again, Ron

Response Number 18

Name: iceblue
Date: January 20, 2004 at 21:05:17 Pacific

Reply:

Update them both before first scan, but they are good to go from there.
Spybot: [click all the backups in Main Settings first]
ie. Settings>settings>Main Settings> there are 3 backup type settings - tick all these.
Spybot: Settings>File Sets> tick 'System internals' and scan.

Response Number 19

Name: rcotner
Date: January 21, 2004 at 06:00:37 Pacific

Reply:

Iceblue,
I hope you can bare with me one more time. I tend to be a little thick once in awhile. I can't seem to locate the area on SPYBOT where I should make the changes in the SETTINGS. You are showing SPYBOT twice. Is there 2 areas to change in that program?? When I open the SPYBOT SEARCH AND DESTROY program all it shows me in the left hand column is:
Search and Destroy
Recovery
Immunize
Update
Donations
Under the HELP section it talks of an advanced mode that the settings are only visible. I don't know if I have it on easy mode or advanced. How would I know??
I don't see an area for SETTINGS. Thanks for your guidance, Ron

Response Number 20

Name: rcotner
Date: January 21, 2004 at 18:11:50 Pacific

Reply:

Iceblue,
Disregard my last post as I have stumbled upon the information I was looking for. I went to START>PROGRAMS>SPYBOT and there it showed the options of programs
SPYBOT (ADVANCED MODE) <This was the one I was looking for!!
SPYBOT (EASY MODE)
I have made sure those settings were either already there that you had mentioned
Spybot: [click all the backups in Main Settings first]
ie. Settings>settings>Main Settings> there are 3 backup type settings - tick all these.
Spybot: Settings>File Sets> tick 'System internals' and scan.
I had to check mark this:

Spybot: Settings>File Sets> tick 'System internals' and scan.
since it was not check marked. I ran a scan and here are the results:
Is there anything I should do with these results?? Thanks for your help, Ron
--- Report generated: 2004-01-21 21:03 ---
Congratulations!: No immediate threats were found. ()
Windows Registry: cmgrdian.hlp (Missing helpfile, nothing done)
C:\Program Files\McAfee\McAfee Shared Components\Guardian\
Windows Registry: C:\WINDOWS\Downloaded Program Files\CONFLICT.2\RdxIE.dll (Missing shared DLL, nothing done)
RdxIE.dll
Windows Registry: C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe (Missing shared DLL, nothing done)
hpgs2wnd.exe
Windows Registry: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\naika.exe (Missing shared DLL, nothing done)
naika.exe
Windows Registry: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (Missing shared DLL, nothing done)
WinCinemaMgr.exe
Windows Registry: cmmgr32.exe (Wrong app path, nothing done)
C:\WINDOWS\System32\cmmgr32.exe
Windows Registry: idapi32.dll (Wrong app path, nothing done)
idapi32.dll
Windows Registry: idbat32.dll (Wrong app path, nothing done)
idbat32.dll
Windows Registry: iddao32.dll (Wrong app path, nothing done)
iddao32.dll
Windows Registry: iddr32.dll (Wrong app path, nothing done)
iddr32.dll
Windows Registry: idpdx32.dll (Wrong app path, nothing done)
idpdx32.dll
Windows Registry: idr20009.dll (Wrong app path, nothing done)
idr20009.dll
Windows Registry: install.exe (Wrong app path, nothing done)

Windows Registry: ORUN32.exe (Wrong app path, nothing done)
C:\WINDOWS\ORUN32.exe
Windows Registry: sqlint32.dll (Wrong app path, nothing done)
sqlint32.dll
Windows Registry: winnt32.exe (Wrong app path, nothing done)

Windows Registry: table30.exe (Wrong app path, nothing done)

Windows Registry: setup.exe (Wrong app path, nothing done)

Windows Registry: IntelliMover.exe (Wrong app path, nothing done)
C:\Program Files\Detto\IntelliMover\IntelliMover.exe
Windows Registry: idsql32.dll (Wrong app path, nothing done)
idsql32.dll
Windows Registry: idqbe32.dll (Wrong app path, nothing done)
idqbe32.dll
Windows Registry: idodbc32.dll (Wrong app path, nothing done)
idodbc32.dll
Windows Registry: iddbas32.dll (Wrong app path, nothing done)
iddbas32.dll
Windows Registry: idda3532.dll (Wrong app path, nothing done)
idda3532.dll
Windows Registry: idasci32.dll (Wrong app path, nothing done)
idasci32.dll
Windows Registry: disp.dll (Wrong app path, nothing done)
disp.dll
Windows Registry: blw32.dll (Wrong app path, nothing done)
blw32.dll
Windows Registry: bdeadmin.cpl (Wrong app path, nothing done)
bdeadmin.cpl
Windows Registry: bdeadmin.hlp (Wrong app path, nothing done)
bdeadmin.hlp
Windows Registry: bdeadmin.exe (Wrong app path, nothing done)
bdeadmin.exe
Windows Registry: bantam.dll (Wrong app path, nothing done)
bantam.dll
Windows Registry: arcsoft.exe (Wrong app path, nothing done)
C:\Program Files\ArcSoft\My Photo Center\arcsoft.exe

--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-10-27 Includes\Dialer.sbi
2003-12-17 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-12-17 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-12-17 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-27 Includes\Tracks.uti
2003-12-10 Includes\Trojans.sbi

Sponsored Link

Ads by Google

Access Error!

seems to be a massive tro...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: virus DOWNLOADER.MSCACHE detected

Downloader.MSCache Virus

Summary

www.computing.net/answers/security/downloadermscache-virus/12477.html

downloader.mscache virus

Summary

www.computing.net/answers/security/downloadermscache-virus/8315.html

virus 'downloader.obfuskated'

Summary

www.computing.net/answers/security/virus-downloaderobfuskated/20917.html

From the Geek Dictionary
user error - Definition used by tech support to describe a problem initiated & controlle...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 3 Days.
Discuss in The Lounge
Poll History

Recent Posts
Linux Printing Problem

Gx260 to tv

battle.net problem

My computer books after several restarts

Automatically refresh content in calendar

All Awaiting Reply

Tom's News
New York Testing Console-Based Alert System

Google Uses Ad to Explain Offensive First Lady Pic

U.S. Air Force Buying 2,200 PlayStation 3s

LittleBigPlanet Playing Part in Obama's STEM Plan

Facebook Worm Sends Users to Porn

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE