ebates, elitebar, searchmiracle and more - lotus79

Unknown

Hi all

I've been trying to figure this one out for days, but have no luck. I got infected from a program install file which turned out to have a bunch of spyware bundled in it. I have Microsoft Anti-spyware beta installed on my system, which warned me as the progs installed, and though I told it to block them, it wasn't able to, I guess.

I soon started getting multiple ad windows spawning. I ran Adaware and Spybot S&S, as well as MS Anti-spyware and Norton AV. Deleted everything they found, but stuff keeps coming back.

Various things they've found that seem to be symptoms rather than the root cause: Ebates moneymaker (keeps coming up), Elite toolbar (once I disabled this in the startup in msconfig the ad windows stopped spawning, but the registry keys keep coming back anyway), DyFuca, CWS.Homepage and SearchMiracle.

Here's my HJT logfile. I'm really hoping someone out there can give me a hand with this, cos it's got me stumped.

Thanks *very much* in advance,
Sarah


Logfile of HijackThis v1.97.7
Scan saved at 16:12:02, on 27/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwh0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Buckeye_Sam

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O18 - Protocol: bwh0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


You are using an outdated version of Hijackthis.
Please download the current version of Hijackthis and post a new hijackthis log.

http://www.short-media.com/download.php?d=245

lotus79

Hi, and thanks for your help

Logitech Desktop Messenger is the update/notification prog that came with my mouse/keyboard set. Should I uninstall it completely through Control Panel?

Anyhow, I fixed the entries, and have rebooted and run Adaware, S&D and MS Antispy again and fixed what they found again. The log had changed before that, quite a few more desktop messenger entries spawned. Here's the latest:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:25, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: bw+0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

Logitech Desktop Messenger is the update/notification prog that came with my mouse/keyboard set. Should I uninstall it completely through Control Panel?

It's unnecessary for your computer, but not malware. For some reason this program causes numerous 018 lines to show up in hijackthis logs and it just makes the log harder to read. You can certainly uninstall it and it wouldn't hurt you at all. I mean how often do you think that you mouse/keyboard will need a critical update?


Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: bw+0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {4B837928-BEAD-478E-9223-876655E3FB92} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll


Reboot and post a new hijackthis log.

lotus79

OK, i've done that. And I uninstalled desktop msngr for the sake of getting rid of some of the clutter.

I've left these two:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/

because they're deliberate--emailcash is my preferred startpage.

Adaware scan found nothing of note this time, but I can't say I trust it yet. S&D always seems to find nothing, I trust that even less. MS Antispy constantly comes up with "Possible Browser Hijack (Browser Modifier)" and reports the location as "Internet Explorer Search Bar:" It won't give me any more info on it than that, and fixing it does no good--it keeps returning.

There's still an entry in msconfig I don't know how to get rid of. I've disabled it, but I want to remove it so I stop getting the warning at startup:

(startup item) elitedun32
(command) C:/windows/system32/elitedun32.exe
(location) SOFTWARE/Microsoft/Windows/CurrentVersion/Run

And here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:22:18, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again for your time and assistance!

lotus79

OK, I lied, sorry.

The HJT log changed *after* I fixed the "browser modifier". SearchMiracle is back. Here's the current log:

Logfile of HijackThis v1.99.1
Scan saved at 21:25:18, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

Go into msconfig and enable all start up items. Then reboot and post a new hijackthis log.

lotus79

OK, done.

New log:

Logfile of HijackThis v1.99.1
Scan saved at 22:57:41, on 29/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedun32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedun32.exe


Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\windows\system32\elitedun32.exe
There may be other files named elitexxxxxx.exe that are part of this infection also. Check dates and compare them to elitedun32.exe to determine if they should be deleted.


Reboot your computer to go back to normal mode and post a new log.

lotus79

ok, done that. elitedun.exe was not present; I deleted that when i first noticed it and disabled the msconfig entry, and it doesn't seem to have come back since.

The msconfig entry is gone.

AdAware and S&D both coming up clean, but MSAS is still finding the "possible browser modifier". I haven't fixed it yet this time; last time as soon as I did Search Miracle was back in the HJT log. Should I fix and post the log again?

Current log:

Logfile of HijackThis v1.99.1
Scan saved at 00:18:23, on 30/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\EA GAMES\The Sims 2 University\TSBin\Sims2EP1.exe
C:\DOCUME~1\lotus\LOCALS~1\Temp\~e5.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

Can you post the log from MS Antispyware? If not, can you tell me exactly what it is finding?

lotus79

MSAS won't tell me very much at all. Here's the log:

Spyware Scan Details
Start Date: 29/04/2005 23:55:04
End Date: 30/04/2005 00:14:19
Total Time: 19 mins 15 secs

Detected Threats

Possible Browser Hijack Browser Modifier more information...
Details: Possible Browser Hijack redirects Internet Explorer.
Status: Ignored
High threat - High-risk items have a large potential for harm, such as loss of computer control, and should be removed unless knowingly installed.


Detected Spyware Cookies
No spyware cookies were found during this scan.

---

There's a link that says "more information", but it just takes you to the MSAS product page. No help there. Very frustrating, since it won't even tell me where the damn thing is located, or what it is removing!

lotus79

OK, this may or may not be helpful. I submitted a report through the MSAS prog, and it sent a scan with it. And it finally allowed me to view the raw details of the scan--it's very long, so I have to break it into two posts. Here's the first half:

- <MSSSRT version="1.0.509" createdate="30/04/2005 11:42:43" os="XP.2600" user="">
- <Audit>
- <AutoRunAudit>
- <StartupFiles>
<StartupFile path="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk" nam="Adobe Acrobat SpeedLauncher (reader_sl.exe)" pub="Adobe Systems Incorporated" md5="deb88aef013dd1eefb462d7cad642166" ver="7.0.0.0" sz="29696" is="0" gfp="">c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe</StartupFile>
<StartupFile path="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk" nam="Microsoft Office XP component (osa.exe)" pub="Microsoft Corporation" md5="5bc65464354a9fd3beaa28e18839734a" ver="10.0.2609" sz="83360" is="0" gfp="">c:\program files\microsoft office\office10\osa.exe</StartupFile>
</StartupFiles>
- <StartupFilesRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Ptipbmf" dat="rundll32.exe ptipbmf.dll,SetWriteCacheMode" nam="ptipbmf DLL (ptipbmf.dll)" pub="Promise Technology, Inc." md5="8ceadaf5628edbe232e0c6e905da77e8" ver="1.00.0.3" sz="118784" is="0" gfp="">c:\windows\system32\ptipbmf.dll</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="zBrowser Launcher" dat="C:\Program Files\Logitech\iTouch\iTouch.exe" nam="iTouch Application (itouch.exe)" pub="Logitech Inc." md5="2e2400a4341e891abffa553bfd39161b" ver="2.20.243" sz="892928" is="0" gfp="">c:\program files\logitech\itouch\itouch.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Logitech Utility" dat="Logi_MwX.Exe" nam="Logitech Launcher Application (logi_mwx.exe)" pub="Logitech Inc." md5="47f4c8707de00f5f18f6cd524df02879" ver="9.79.016" sz="19968" is="0" gfp="">c:\windows\logi_mwx.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="ccApp" dat=""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" nam="Common Client User Session (ccapp.exe)" pub="Symantec Corporation" md5="8e322bf0b350b94f9edf40c6cc754be9" ver="2.1.6.3" sz="68768" is="0" gfp="">c:\program files\common files\symantec shared\ccapp.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Advanced Tools Check" dat="C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE" nam="Norton AntiVirus Advanced Tools Integrity Checker (advchk.exe)" pub="Symantec Corporation" md5="62b992ae61e3b054f8efe65fd4ce9392" ver="8.00.61" sz="74920" is="0" gfp="">c:\progra~1\norton~1\advtools\advchk.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="NvCplDaemon" dat="RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" nam="NVIDIA Display Properties Extension (nvcpl.dll)" pub="NVIDIA Corporation" md5="70342bc15208b68242241fb0f22468fc" ver="6.14.10.6693" sz="4620288" is="0" gfp="">c:\windows\system32\nvcpl.dll</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="NvMediaCenter" dat="RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" nam="NVIDIA Media Center Library (nvmctray.dll)" pub="NVIDIA Corporation" md5="ca342993cf9b669fa62cc23fdb04d6e6" ver="6.14.10.6693" sz="86016" is="0" gfp="">c:\windows\system32\nvmctray.dll</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="SoundMan" dat="SOUNDMAN.EXE" nam="Realtek Sound Manager (soundman.exe)" pub="Realtek Semiconductor Corp." md5="58ada3beefe33fb8e4875a7848b1fae4" ver="5.1.0.24" sz="65024" is="0" gfp="">c:\windows\soundman.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="Symantec NetDriver Monitor" dat="C:\PROGRA~1\SYMNET~1\SNDMon.exe" nam="Symantec Security Drivers Install Monitor (sndmon.exe)" pub="Symantec Corporation" md5="abba14e4513a3eb53194c472d94943d7" ver="5.4.4.17" sz="95960" is="0" gfp="">c:\progra~1\symnet~1\sndmon.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="gcasServ" dat=""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" nam="Microsoft AntiSpyware Service (gcasserv.exe)" pub="Microsoft Corporation" md5="e519945deb3875341d36db0ea141e0c5" ver="1.00.0509" sz="473920" is="0" gfp="">c:\program files\microsoft antispyware\gcasserv.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="DAEMON Tools-1033" dat=""C:\Program Files\D-Tools\daemon.exe" -lang 1033" nam="Virtual DAEMON Manager (daemon.exe)" pub="DAEMON'S HOME" md5="804fbb66ec6ca862b840d173efc638a7" ver="3.47.0.0" sz="81920" is="0" gfp="">c:\program files\d-tools\daemon.exe</StartupFileRegistry>
<StartupFileRegistry ex="1" path="HCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" val="CTFMON.EXE" dat="C:\WINDOWS\system32\ctfmon.exe" nam="CTF Loader (ctfmon.exe)" pub="Microsoft Corporation" md5="24232996a38c0b0cf151c2140ae29fc8" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="15360" is="0" gfp="">c:\windows\system32\ctfmon.exe</StartupFileRegistry>
</StartupFilesRegistry>
- <WinlogonUserinitFiles>
<WinlogonUserinitFile ex="1" nam="Userinit Logon Application (userinit.exe)" pub="Microsoft Corporation" md5="39b1ffb03c2296323832acbae50d2aff" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="24576" is="0" gfp="">c:\windows\system32\userinit.exe</WinlogonUserinitFile>
</WinlogonUserinitFiles>
<StartupWinIniFiles />
<StartupSysIniFiles />
</AutoRunAudit>
- <InternetExplorerAudit version="6.0.2900.2180">
- <BrowserHelperObjects>
<BHO ex="1" clsid="{53707962-6F74-2D53-2644-206D7942484F}" prog="" val="" nam="Bad download blocker (sdhelper.dll)" pub="Safer Networking Limited" md5="abf5ba518c6a5ed104496ff42d19ad88" ver="1, 3, 0, 12" sz="744960" is="0" gfp="">c:\progra~1\spybot~1\sdhelper.dll</BHO>
</BrowserHelperObjects>
<IEToolbars />
<IEExtensions />
- <IEExplorerBars>
<IEExplorerBar ex="1" clsid="{4D5C8C25-D075-11d0-B416-00C04FB90376}" prog="" val="&Tip of the Day" nam="Shell Doc Object and Control Library (shdocvw.dll)" pub="Microsoft Corporation" md5="ae8ab1175327702d3a6f10dc122c254e" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="1483264" is="0" gfp="">c:\windows\system32\shdocvw.dll</IEExplorerBar>
</IEExplorerBars>
- <IEShellBrowsers>
<IEShellBrowser ex="1" clsid="{01E04581-4EEE-11D0-BFE9-00AA005B4383}" prog="" val="&Address" nam="Shell Browser UI Library (browseui.dll)" pub="Microsoft Corporation" md5="6eea72937f62376558bf8d693c296ab4" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="1016832" is="0" gfp="">c:\windows\system32\browseui.dll</IEShellBrowser>
<IEShellBrowser ex="1" clsid="{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" prog="Symantec.Norton.AntiVirus.IEToolBand.1" val="Norton AntiVirus" nam="Norton AntiVirusNAVShellExt Module (navshext.dll)" pub="Symantec Corporation" md5="65c8a602dfa9d5860f1e328cb8575317" ver="10.00.13" sz="103368" is="0" gfp="">c:\program files\norton antivirus\navshext.dll</IEShellBrowser>
<IEShellBrowser ex="0" clsid="" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp="" />
</IEShellBrowsers>
- <IEWebBrowsers>
<IEWebBrowser ex="1" clsid="{01E04581-4EEE-11D0-BFE9-00AA005B4383}" prog="" val="&Address" nam="Shell Browser UI Library (browseui.dll)" pub="Microsoft Corporation" md5="6eea72937f62376558bf8d693c296ab4" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="1016832" is="0" gfp="">c:\windows\system32\browseui.dll</IEWebBrowser>
<IEWebBrowser ex="0" clsid="" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp="" />
<IEWebBrowser ex="0" clsid="" prog="" val="" nam="" pub="" md5="" ver="" sz="" is="0" gfp="" />
</IEWebBrowsers>
- <IEMenuExts>
<IEMenuExt val="E&xport to Microsoft Excel">res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000</IEMenuExt>
</IEMenuExts>
- <IEURLSearchHooks>
<IEURLSearchHook ex="1" clsid="{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" prog="" val="Microsoft Url Search Hook" nam="Shell Doc Object and Control Library (shdocvw.dll)" pub="Microsoft Corporation" md5="ae8ab1175327702d3a6f10dc122c254e" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="1483264" is="0" gfp="">c:\windows\system32\shdocvw.dll</IEURLSearchHook>
</IEURLSearchHooks>
- <IEURLs>
<IEURL val="HCU\Software\Microsoft\Internet Explorer Start Page">http://www.emailcash.com.au/</IEURL&gt;
<IEURL val="HCU\Software\Microsoft\Internet Explorer Search Page">http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch</IEURL&gt;
<IEURL val="HCU\Software\Microsoft\Internet Explorer Default_Page_URL" />
<IEURL val="HCU\Software\Microsoft\Internet Explore Local Page">C:\WINDOWS\system32\blank.htm</IEURL>
<IEURL val="HCU\Software\Microsoft\Internet Explore Search Bar" />
<IEURL val="HCU\Software\Microsoft\Internet Explorer Default_Search_URL" />
<IEURL val="HCU\Software\Microsoft\Internet Explorer HomeOldSP" />
<IEURL val="HLM\Software\Microsoft\Internet Explorer Start Page">http://www.emailcash.com.au/</IEURL&gt;
<IEURL val="HLM\Software\Microsoft\Internet Explorer Search Page">http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch</IEURL&gt;
<IEURL val="HLM\Software\Microsoft\Internet Explorer Default_Page_URL">http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome</IEURL&gt;
<IEURL val="HLM\Software\Microsoft\Internet Explorer Local Page">C:\WINDOWS\system32\blank.htm</IEURL>
<IEURL val="HLM\Software\Microsoft\Internet Explorer Search Bar" />
<IEURL val="HLM\Software\Microsoft\Internet Explorer Default_Search_URL">http://home.microsoft.com/search/search.asp</IEURL&gt;
<IEURL val="HLM\Software\Microsoft\Internet Explorer HomeOldSP" />
<IEURL val="HCU\Software\Microsoft\Internet Explorer\Search CustomizeSearch" />
<IEURL val="HCU\Software\Microsoft\Internet Explorer\Search SearchAssistant" />
<IEURL val="HLM\Software\Microsoft\Internet Explorer\Search CustomizeSearch">http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm</IEURL&gt;
<IEURL val="HLM\Software\Microsoft\Internet Explorer\Search SearchAssistant">http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm</IEURL&gt;
<IEURL val="HCU\Software\Microsoft\Internet Explorer\SearchUrl" />
<IEURL val="HLM\Software\Microsoft\Internet Explorer\SearchUrl" />
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs blank">res://mshtml.dll/blank.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs DesktopItemNavigationFailure">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs NavigationCanceled">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs NavigationFailure">res://shdoclc.dll/navcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs OfflineInformation">res://shdoclc.dll/offcancl.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs PostNotCached">res://mshtml.dll/repost.htm</IEURL>
<IEURL val="HLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs mozilla" />
</IEURLs>
</InternetExplorerAudit>
- <SystemAudit>
- <ShellExecuteHooks>
<ShellExecuteHook ex="1" clsid="{AEB6717E-7E19-11d0-97EE-00C04FD91972}" prog="" val="URL Exec Hook" nam="Windows Shell Common Dll (shell32.dll)" pub="Microsoft Corporation" md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620 (xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0" gfp="">C:\WINDOWS\system32\shell32.dll</ShellExecuteHook>
<ShellExecuteHook ex="1" clsid="{9EF34FF2-3396-4527-9D27-04C8C1C67806}" prog="Microsoft.AntiSpyware.ShellExecuteHook.1" val="Microsoft.AntiSpyware.ShellExecuteHook.1" nam="Microsoft AntiSpyware Shell Extension (shellextension.dll)" pub="Microsoft Corporation" md5="f3a7b87726c87c8e5653df0e7da15a47" ver="1.00.0509" sz="93408" is="0" gfp="">c:\program files\microsoft antispyware\shellextension.dll</ShellExecuteHook>
</ShellExecuteHooks>
- <ShellOpenCommands>
<ShellOpenCommand val="HCR\exefile\shell\open\command">"%1" %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\comfile\shell\open\command">"%1" %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\batfile\shell\open\command">"%1" %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\htafile\shell\open\command">C:\WINDOWS\System32\mshta.exe "%1" %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\piffile\shell\open\command">"%1" %*</ShellOpenCommand>
<ShellOpenCommand val="HCR\txtfile\shell\open\command">%SystemRoot%\system32\NOTEPAD.EXE %1</ShellOpenCommand>
<ShellOpenCommand val="HCR\mp3file\shell\open\command">"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"</ShellOpenCommand>
<ShellOpenCommand val="HCR\mpegfile\shell\open\command">"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"</ShellOpenCommand>
<ShellOpenCommand val="HCR\mailto\shell\open\command">"C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE" -c IPM.Note /m "%1"</ShellOpenCommand>
<ShellOpenCommand val="HCR\htmlfile\shell\open\command">"C:\Program Files\Internet Explorer\iexplore.exe" -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\http\shell\open\command">"C:\Program Files\Internet Explorer\iexplore.exe" -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\https\shell\open\command">"C:\Program Files\Internet Explorer\iexplore.exe" -nohome</ShellOpenCommand>
<ShellOpenCommand val="HCR\ftp\shell\open\command">"C:\Program Files\Internet Explorer\iexplore.exe" %1</ShellOpenCommand>
</ShellOpenCommands>
- <ActiveXInstalls>
- <ActiveXInstall clsid="{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE}" prog="OPUCatalog.OPUCatalog11.1" nam="Office Update Installation Engine" codebase="http://office.microsoft.com/officeupdate/content/opuc2.cab"&gt;
- <Files>
<File ex="1" nam="Microsoft Office Update Detection Engine (opuc.dll)" pub="Microsoft Corporation" md5="20393d64f69f26361a97fd9afb3c9243" ver="11.0.6466" sz="326656" is="0" gfp="">C:\WINDOWS\opuc.dll</File>
</Files>
</ActiveXInstall>
- <ActiveXInstall clsid="{D27CDB6E-AE6D-11CF-96B8-444553540000}" prog="ShockwaveFlash.ShockwaveFlash.1" nam="Shockwave Flash Object" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab"&gt;
<Files />
</ActiveXInstall>
</ActiveXInstalls>
- <PROTOCOLSFilters>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" prog="CorRegistration.CorFltr.1" filter="application/octet-stream" val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime Execution Engine (mscoree.dll)" pub="Microsoft Corporation" md5="8c54138d0271ed4e9c16d8534ff707e4" ver="1.1.4322.2032" sz="155648" is="0" gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" prog="CorRegistration.CorFltr.1" filter="application/x-complus" val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime Execution Engine (mscoree.dll)" pub="Microsoft Corporation" md5="8c54138d0271ed4e9c16d8534ff707e4" ver="1.1.4322.2032" sz="155648" is="0" gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" prog="CorRegistration.CorFltr.1" filter="application/x-msdownload" val="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" nam="Microsoft .NET Runtime Execution Engine (mscoree.dll)" pub="Microsoft Corporation" md5="8c54138d0271ed4e9c16d8534ff707e4" ver="1.1.4322.2032" sz="155648" is="0" gfp="">c:\windows\system32\mscoree.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" prog="" filter="Class Install Handler" val="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}" prog="" filter="deflate" val="{8f6b0360-b80d-11d0-a9b3-006097942311}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}" prog="" filter="gzip" val="{8f6b0360-b80d-11d0-a9b3-006097942311}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{8f6b0360-b80d-11d0-a9b3-006097942311}" prog="" filter="lzdhtml" val="{8f6b0360-b80d-11d0-a9b3-006097942311}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSFilter>
<PROTOCOLSFilter ex="1" clsid="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" prog="" filter="text/webviewhtml" val="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" nam="Windows Shell Common Dll (shell32.dll)" pub="Microsoft Corporation" md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620 (xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0" gfp="">c:\windows\system32\shell32.dll</PROTOCOLSFilter>
</PROTOCOLSFilters>
- <PROTOCOLSHandlers>
<PROTOCOLSHandler ex="1" clsid="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}" prog="" filter="about" val="{3050F406-98B5-11CF-BB82-00AA00BDCE0B}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}" prog="" filter="cdl" val="{3dd53d40-7b8b-11D0-b013-00aa0059ce02}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{CD00020A-8B95-11D1-82DB-00C04FB1625D}" prog="CDO.KnowledgePluggable.1" filter="cdo" val="{CD00020A-8B95-11D1-82DB-00C04FB1625D}" nam="Microsoft SharePoint Portal Server Object Model (pkmcdo.dll)" pub="Microsoft Corporation" md5="623d03d48a2da1bc03764d6d7fc88542" ver="10.145.7329.0" sz="868352" is="0" gfp="">c:\program files\common files\microsoft shared\web folders\pkmcdo.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{12D51199-0DB5-46FE-A120-47A3D7D937CC}" prog="" filter="dvd" val="{12D51199-0DB5-46FE-A120-47A3D7D937CC}" nam="ActiveX control for streaming video (msvidctl.dll)" pub="Microsoft Corporation" md5="7b5ba7cb7cf42b557c17d08015be8a14" ver="6.05.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="1428480" is="0" gfp="">c:\windows\system32\msvidctl.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="file" val="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="ftp" val="{79eac9e3-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="gopher" val="{79eac9e4-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="http" val="{79eac9e2-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="https" val="{79eac9e5-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" prog="MSITFS1.0" filter="its" val="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" nam="Microsoft InfoTech Storage System Library (itss.dll)" pub="Microsoft Corporation" md5="a00b287bb6f78bdd3589b7e75a86a6fa" ver="5.2.3790.1221 (dnsrv.040715-2015)" sz="134144" is="0" gfp="">c:\windows\system32\itss.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}" prog="" filter="javascript" val="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{5C135180-9973-46D9-ABF4-148267CBB8BF}" prog="" filter="lid" val="{5C135180-9973-46D9-ABF4-148267CBB8BF}" nam="ActiveX control for streaming video (msvidctl.dll)" pub="Microsoft Corporation" md5="7b5ba7cb7cf42b557c17d08015be8a14" ver="6.05.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="1428480" is="0" gfp="">c:\windows\system32\msvidctl.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="local" val="{79eac9e7-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}" prog="" filter="mailto" val="{3050f3DA-98B5-11CF-BB82-00AA00BDCE0B}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{05300401-BCBC-11d0-85E3-00C04FD85AB4}" prog="" filter="mhtml" val="{05300401-BCBC-11d0-85E3-00C04FD85AB4}" nam="Microsoft Internet Messaging API (inetcomm.dll)" pub="Microsoft Corporation" md5="ad83a2a04f68db2dff500c30536fcd6b" ver="6.00.2900.2527 (xpsp_sp2_gdr.040919-1056)" sz="679424" is="0" gfp="">c:\windows\system32\inetcomm.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}" prog="" filter="mk" val="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}" nam="OLE32 Extensions for Win32 (urlmon.dll)" pub="Microsoft Corporation" md5="2511fa80ffea8e186dda6d28f847e113" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="607744" is="0" gfp="">c:\windows\system32\urlmon.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" prog="MSITFS1.0" filter="ms-its" val="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" nam="Microsoft InfoTech Storage System Library (itss.dll)" pub="Microsoft Corporation" md5="a00b287bb6f78bdd3589b7e75a86a6fa" ver="5.2.3790.1221 (dnsrv.040715-2015)" sz="134144" is="0" gfp="">c:\windows\system32\itss.dll</PROTOCOLSHandler>

lotus79

Log part 2:


<PROTOCOLSHandler ex="1" clsid="{3D9F03FA-7A94-11D3-BE81-0050048385D1}" prog="" filter="mso-offdap" val="{3D9F03FA-7A94-11D3-BE81-0050048385D1}" nam="Microsoft Office XP Web Components (owc10.dll)" pub="Microsoft Corporation" md5="9211fe0255a62db0a51c94acfcf5670b" ver="10.0.6619" sz="7334592" is="0" gfp="">c:\progra~1\common~1\micros~1\webcom~1\10\owc10.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}" prog="" filter="res" val="{3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{76E67A63-06E9-11D2-A840-006008059382}" prog="" filter="sysimage" val="{76E67A63-06E9-11D2-A840-006008059382}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}" prog="" filter="tv" val="{CBD30858-AF45-11D2-B6D6-00C04FBBDE6E}" nam="ActiveX control for streaming video (msvidctl.dll)" pub="Microsoft Corporation" md5="7b5ba7cb7cf42b557c17d08015be8a14" ver="6.05.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="1428480" is="0" gfp="">c:\windows\system32\msvidctl.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}" prog="" filter="vbscript" val="{3050F3B2-98B5-11CF-BB82-00AA00BDCE0B}" nam="Microsoft (R) HTML Viewer (mshtml.dll)" pub="Microsoft Corporation" md5="84a1b9b0c362051e68bb131f14c6daad" ver="6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)" sz="3010560" is="0" gfp="">c:\windows\system32\mshtml.dll</PROTOCOLSHandler>
<PROTOCOLSHandler ex="1" clsid="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}" prog="Wia.WiaProtocol.1" filter="wia" val="{13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE}" nam="WIA Scripting Layer (wiascr.dll)" pub="Microsoft Corporation" md5="dd469944b09b032e7c7fe85687c2a399" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="75776" is="0" gfp="">c:\windows\system32\wiascr.dll</PROTOCOLSHandler>
</PROTOCOLSHandlers>
- <PROTOCOLSNameSpaceHandlers>
<PROTOCOLSNameSpaceHandler ex="1" clsid="{9D148291-B9C8-11D0-A4CC-0000F80149F6}" prog="MSITFS1.0" namespace="mk" namespacefilter="NameSpace Filter for MK:@MSITStore:..." val="{79eac9e6-baf9-11ce-8c82-00aa004ba90b}" nam="Microsoft InfoTech Storage System Library (itss.dll)" pub="Microsoft Corporation" md5="a00b287bb6f78bdd3589b7e75a86a6fa" ver="5.2.3790.1221 (dnsrv.040715-2015)" sz="134144" is="0" gfp="">c:\windows\system32\itss.dll</PROTOCOLSNameSpaceHandler>
</PROTOCOLSNameSpaceHandlers>
- <TCPIPParamaters>
<TCPIPParamater val="DataBasePath">%SystemRoot%\System32\drivers\etc</TCPIPParamater>
<TCPIPParamater val="Domain" />
<TCPIPParamater val="NameServer" />
<TCPIPParamater val="SearchList" />
<TCPIPParamater val="VXD MSTCP: NameServer" />
</TCPIPParamaters>
- <InternetSettings>
<InternetSetting val="ProxyEnable">0</InternetSetting>
<InternetSetting val="ProxyServer" />
<InternetSetting val="ProxyOverride">localhost</InternetSetting>
<InternetSetting val="User Agent">Mozilla/4.0 (compatible; MSIE 6.0; Win32)</InternetSetting>
<InternetSetting val="ZoneMap Domain Count">1037</InternetSetting>
</InternetSettings>
- <IESettings>
<IESetting val="UseMyStylesheet" set="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles" />
<IESetting val="UserStylesheet" set="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles" />
<IESetting val="UseMyStylesheet" set="HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Styles" />
<IESetting val="UserStylesheet" set="HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Styles" />
</IESettings>
<AppInitDLLs val="" />
- <ShellServiceObjectDelayLoads>
<ShellServiceObjectDelayLoad ex="1" clsid="{7849596a-48ea-486e-8937-a2a3009f31a9}" prog="" val="PostBootReminder" nam="Windows Shell Common Dll (shell32.dll)" pub="Microsoft Corporation" md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620 (xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0" gfp="">c:\windows\system32\shell32.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1" clsid="{fbeb8a05-beee-4442-804e-409d6c4515e9}" prog="" val="CDBurn" nam="Windows Shell Common Dll (shell32.dll)" pub="Microsoft Corporation" md5="9833f278924d028414d7f89bfd4fc46b" ver="6.00.2900.2620 (xpsp_sp2_gdr.050225-1820)" sz="8450048" is="0" gfp="">c:\windows\system32\shell32.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1" clsid="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" prog="" val="WebCheck" nam="Web Site Monitor (webcheck.dll)" pub="Microsoft Corporation" md5="6501db5182d5a8c0f1f1707286161d66" ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="276480" is="0" gfp="">c:\windows\system32\webcheck.dll</ShellServiceObjectDelayLoad>
<ShellServiceObjectDelayLoad ex="1" clsid="{35CEC8A3-2BE6-11D2-8773-92E220524153}" prog="" val="SysTray" nam="Systray shell service object (stobject.dll)" pub="Microsoft Corporation" md5="297101a925ecffdcdf7f6341ffbb6c1a" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="121856" is="0" gfp="">c:\windows\system32\stobject.dll</ShellServiceObjectDelayLoad>
</ShellServiceObjectDelayLoads>
<ScheduledTasks />
- <Services>
<Service ex="1" disp="Application Layer Gateway Service" desc="Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall." nam="Application Layer Gateway Service (alg.exe)" pub="Microsoft Corporation" md5="f1958fbf86d5c004cf19a5951a9514b7" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="44544" is="0" gfp="">C:\WINDOWS\System32\alg.exe</Service>
<Service ex="1" disp="ASP.NET State Service" desc="Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start." nam="aspnet_state.exe (aspnet_state.exe)" pub="Microsoft Corporation" md5="e1a1206a4fb19b675e947b29ccd25fba" ver="1.1.4322.2032" sz="32768" is="0" gfp="">C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe</Service>
<Service ex="1" disp="Symantec Event Manager" desc="Symantec Event Manager" nam="Common Client Event Manager Service (ccEvtMgr.exe)" pub="Symantec Corporation" md5="f5f81ca6605853252f2c1950cb994de0" ver="2.1.6.3" sz="255600" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe</Service>
<Service ex="1" disp="Symantec Password Validation" desc="Symantec Password Validation Service" nam="Common Client Password Validation (ccPwdSvc.exe)" pub="Symantec Corporation" md5="dd11c3b9b8d80db9da815bda71440782" ver="2.1.6.3" sz="87664" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe</Service>
<Service ex="1" disp="Symantec Settings Manager" desc="Symantec Settings Manager" nam="Common Client Settings Manager Service (ccSetMgr.exe)" pub="Symantec Corporation" md5="72258d9e8d26a9b498b3b3654ccb6721" ver="2.1.6.3" sz="235120" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe</Service>
<Service ex="1" disp="Indexing Service" desc="Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language." nam="Content Index service (cisvc.exe)" pub="Microsoft Corporation" md5="3192bd04d032a9c4a85a3278c268a13a" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="5632" is="0" gfp="">C:\WINDOWS\System32\cisvc.exe</Service>
<Service ex="1" disp="ClipBook" desc="Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Windows NT DDE Server (clipsrv.exe)" pub="Microsoft Corporation" md5="c8dec22c4137d7a90f8bdf41ca4b82ae" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="33280" is="0" gfp="">C:\WINDOWS\system32\clipsrv.exe</Service>
<Service ex="1" disp="COM+ System Application" desc="Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start." nam="COM Surrogate (dllhost.exe)" pub="Microsoft Corporation" md5="dd87db7387b9eb441c5674888a0d840c" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="5120" is="0" gfp="">C:\WINDOWS\System32\dllhost.exe</Service>
<Service ex="1" disp="Logical Disk Manager Administrative Service" desc="Configures hard disk drives and volumes. The service only runs for configuration processes and then stops." nam="Logical Disk Manager service process (dmadmin.exe)" pub="Microsoft Corp., Veritas Software" md5="554c7cb178fe3bd12450b81ad63adbc3" ver="2600.2180.503.0" sz="224768" is="0" gfp="">C:\WINDOWS\System32\dmadmin.exe</Service>
<Service ex="1" disp="Event Log" desc="Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped." nam="Services and Controller app (services.exe)" pub="Microsoft Corporation" md5="c6ce6eec82f187615d1002bb3bb50ed4" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="108032" is="0" gfp="">C:\WINDOWS\system32\services.exe</Service>
<Service ex="1" disp="IMAPI CD-Burning COM Service" desc="Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Image Mastering API (imapi.exe)" pub="Microsoft Corporation" md5="fa788520bcac0f5d9d5cde5615c0d931" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="150016" is="0" gfp="">C:\WINDOWS\System32\imapi.exe</Service>
<Service ex="1" disp="NetMeeting Remote Desktop Sharing" desc="Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." nam="NetMeeting Remote Desktop Sharing (mnmsrvc.exe)" pub="Microsoft Corporation" md5="f6415361201915b9fe3896b0e4e724ff" ver="5.1.2600.2180" sz="32768" is="0" gfp="">C:\WINDOWS\System32\mnmsrvc.exe</Service>
<Service ex="1" disp="Distributed Transaction Coordinator" desc="Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start." nam="MS DTC console program (msdtc.exe)" pub="Microsoft Corporation" md5="c7c3d89eb0a6f3dba622ea737fa335b1" ver="2001.12.4414.258" sz="6144" is="0" gfp="">C:\WINDOWS\System32\msdtc.exe</Service>
<Service ex="1" disp="Windows Installer" desc="Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Windows installer (msiexec.exe)" pub="Microsoft Corporation" md5="f5f0146580e7023adb963879840777f8" ver="3.1.4000.1823" sz="78848" is="0" gfp="">C:\WINDOWS\system32\msiexec.exe</Service>
<Service ex="1" disp="Norton AntiVirus Auto Protect Service" desc="Handles Norton AntiVirus Auto-Protect events." nam="Norton AntiVirus Auto-Protect Service (navapsvc.exe)" pub="Symantec Corporation" md5="106188ee7fce8c769defec27c1edb67c" ver="10.00.2" sz="158848" is="0" gfp="">C:\Program Files\Norton AntiVirus\navapsvc.exe</Service>
<Service ex="1" disp="Network DDE" desc="Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Network DDE - DDE Communication (netdde.exe)" pub="Microsoft Corporation" md5="05afb5ad06462257bea7495283c86d50" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="111104" is="0" gfp="">C:\WINDOWS\system32\netdde.exe</Service>
<Service ex="1" disp="Network DDE DSDM" desc="Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Network DDE - DDE Communication (netdde.exe)" pub="Microsoft Corporation" md5="05afb5ad06462257bea7495283c86d50" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="111104" is="0" gfp="">C:\WINDOWS\system32\netdde.exe</Service>
<Service ex="1" disp="Net Logon" desc="Supports pass-through authentication of account logon events for computers in a domain." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="Norton Unerase Protection" desc="" nam="Norton Protection Status (NPROTECT.EXE)" pub="Symantec Corporation" md5="4914a155f9b73317b14f94bba4a79639" ver="16.00.0.22" sz="135168" is="0" gfp="">C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE</Service>
<Service ex="1" disp="NT LM Security Support Provider" desc="Provides security to remote procedure call (RPC) programs that use transports other than named pipes." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="NVIDIA Display Driver Service" desc="Provides system and desktop level support to the NVIDIA display driver" nam="NVIDIA Driver Helper Service, Version 66.93 (nvsvc32.exe)" pub="NVIDIA Corporation" md5="190bf982638e4a0c98b334a39e50fb9f" ver="6.14.10.6693" sz="127043" is="0" gfp="">C:\WINDOWS\system32\nvsvc32.exe</Service>
<Service ex="1" disp="Plug and Play" desc="Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability." nam="Services and Controller app (services.exe)" pub="Microsoft Corporation" md5="c6ce6eec82f187615d1002bb3bb50ed4" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="108032" is="0" gfp="">C:\WINDOWS\system32\services.exe</Service>
<Service ex="1" disp="IPSEC Services" desc="Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">C:\WINDOWS\System32\lsass.exe</Service>
<Service ex="1" disp="Protected Storage" desc="Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">C:\WINDOWS\system32\lsass.exe</Service>
<Service ex="1" disp="Remote Desktop Help Session Manager" desc="Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box." nam="Microsoft Remote Desktop Help Session Manager (sessmgr.exe)" pub="Microsoft Corporation" md5="729798e0933076b8fcfcd9934698f164" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="140800" is="0" gfp="">C:\WINDOWS\system32\sessmgr.exe</Service>
<Service ex="1" disp="Remote Procedure Call (RPC) Locator" desc="Manages the RPC name service database." nam="Rpc Locator (locator.exe)" pub="Microsoft Corporation" md5="793f04a09b15e7c6c11dbdffaf06c0ab" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="75264" is="0" gfp="">C:\WINDOWS\System32\locator.exe</Service>
<Service ex="1" disp="QoS RSVP" desc="Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets." nam="Microsoft RSVP (rsvp.exe)" pub="Microsoft Corporation" md5="471b3f9741d762abe75e9deea4787e47" ver="5.1.2600.0 (xpclient.010817-1148)" sz="132608" is="0" gfp="">C:\WINDOWS\System32\rsvp.exe</Service>
<Service ex="1" disp="Security Accounts Manager" desc="Stores security information for local user accounts." nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">C:\WINDOWS\system32\lsass.exe</Service>
<Service ex="1" disp="SAVScan" desc="Handles Norton AntiVirus Auto-Protect Archive Scanning" nam="Symantec AntiVirus Scanner (SAVScan.exe)" pub="Symantec Corporation" md5="de337e8649e1970c5663999457a9352f" ver="" sz="194272" is="0" gfp="">C:\Program Files\Norton AntiVirus\SAVScan.exe</Service>
<Service ex="1" disp="ScriptBlocking Service" desc="" nam="ScriptBlocking registration (SBServ.exe)" pub="Symantec Corporation" md5="928627472adbd58bb72d5bb9cb1448f6" ver="1, 1, 1, 131" sz="66784" is="0" gfp="">C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe</Service>
<Service ex="1" disp="Smart Card" desc="Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Smart Card Resource Management Server (SCardSvr.exe)" pub="Microsoft Corporation" md5="25d8de134df108e3dbc8d7d23b1aa58e" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="95744" is="0" gfp="">C:\WINDOWS\System32\SCardSvr.exe</Service>
<Service ex="1" disp="Symantec Network Drivers Service" desc="Symantec Network Drivers Service" nam="Network Driver Service (SNDSrvc.exe)" pub="Symantec Corporation" md5="997bf60bef992c61c3014ef5c56d93ea" ver="5.4.4.17" sz="206552" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe</Service>
<Service ex="1" disp="Print Spooler" desc="Loads files to memory for later printing." nam="Spooler SubSystem App (spoolsv.exe)" pub="Microsoft Corporation" md5="7435b108b935e42ea92ca94f59c8e717" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="57856" is="0" gfp="">C:\WINDOWS\system32\spoolsv.exe</Service>
<Service ex="1" disp="MS Software Shadow Copy Provider" desc="Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start." nam="COM Surrogate (dllhost.exe)" pub="Microsoft Corporation" md5="dd87db7387b9eb441c5674888a0d840c" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="5120" is="0" gfp="">C:\WINDOWS\System32\dllhost.exe</Service>
<Service ex="1" disp="Symantec Core LC" desc="Symantec Core LC" nam="Symantec Core Component (symlcsvc.exe)" pub="Symantec Corporation" md5="d0edae81c1e1ccd7e711286eefe9de57" ver="1, 8, 48, 77" sz="585728" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe</Service>
<Service ex="1" disp="SymWMI Service" desc="Symantec WMI Service" nam="Norton Security Center Service (SymWSC.exe)" pub="Symantec Corporation" md5="67c5af84809468061121fbcbecb19285" ver="2005.1.2.20" sz="316544" is="0" gfp="">C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe</Service>
<Service ex="1" disp="Performance Logs and Alerts" desc="Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Performance Logs and Alerts Service (smlogsvc.exe)" pub="Microsoft Corporation" md5="8b54aa346d1b1b113ffaa75501b8b1b2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="89600" is="0" gfp="">C:\WINDOWS\system32\smlogsvc.exe</Service>
<Service ex="1" disp="Telnet" desc="Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Telnet (tlntsvr.exe)" pub="Microsoft Corporation" md5="37db0a7d097310e8b4de803fc3119c78" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="73216" is="0" gfp="">C:\WINDOWS\System32\tlntsvr.exe</Service>
<Service ex="1" disp="Windows User Mode Driver Framework" desc="Enables Windows user mode drivers." nam="Windows User Mode Driver Manager (wdfmgr.exe)" pub="Microsoft Corporation" md5="c81b8635dee0d3ef5f64b3dd643023a5" ver="5.2.3790.1230 built by: DNSRV(bld4act)" sz="38912" is="0" gfp="">C:\WINDOWS\system32\wdfmgr.exe</Service>
<Service ex="1" disp="Uninterruptible Power Supply" desc="Manages an uninterruptible power supply (UPS) connected to the computer." nam="UPS Service (ups.exe)" pub="Microsoft Corporation" md5="3f5df65b0758675f95a2d43918a740a3" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="18432" is="0" gfp="">C:\WINDOWS\System32\ups.exe</Service>
<Service ex="1" disp="Volume Shadow Copy" desc="Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start." nam="Microsoft Volume Shadow Copy Service (vssvc.exe)" pub="Microsoft Corporation" md5="3ee00364ae0fd8d604f46cbaf512838a" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="289792" is="0" gfp="">C:\WINDOWS\System32\vssvc.exe</Service>
<Service ex="1" disp="Windows Media Connect (WMC)" desc="Serves shared multimedia content to Universal Plug and Play devices" nam="Windows Media Connect (mswmccds.exe)" pub="Microsoft Corporation" md5="20263dafd033d30f151bb87568386769" ver="5.1.2600.1 built by: DNSRV(bld4act)" sz="483328" is="0" gfp="">c:\program files\windows media connect\mswmccds.exe</Service>
<Service ex="1" disp="Windows Media Connect (WMC) Helper" desc="Monitors the network for new UPnP Media Renderer devices." nam="Windows Media Connect (mswmcls.exe)" pub="Microsoft Corporation" md5="1dd015a69235dcfae18b5f98fb50be23" ver="5.1.2600.1 built by: DNSRV(bld4act)" sz="28160" is="0" gfp="">C:\Program Files\Windows Media Connect\mswmcls.exe</Service>
<Service ex="1" disp="WMI Performance Adapter" desc="Provides performance library information from WMI HiPerf providers." nam="WMI Performance Adapter Service (wmiapsrv.exe)" pub="Microsoft Corporation" md5="ba8cecc3e813e1f7c441b20393d4f86c" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="126464" is="0" gfp="">C:\WINDOWS\System32\wbem\wmiapsrv.exe</Service>
</Services>
</SystemAudit>
- <ProcessesAudit>
- <Processes>
<Process ex="1" pid="628" nam="Windows NT Session Manager (smss.exe)" pub="Microsoft Corporation" md5="bd7fb0957c716f1a60333aee04de2178" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="50688" is="0" gfp="">c:\windows\system32\smss.exe</Process>
<Process ex="1" pid="692" nam="Client Server Runtime Process (csrss.exe)" pub="Microsoft Corporation" md5="f12b178b1678d778cfd3ff1fc38c71fb" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="6144" is="0" gfp="">C:\WINDOWS\system32\csrss.exe</Process>
<Process ex="1" pid="716" nam="Windows NT Logon Application (winlogon.exe)" pub="Microsoft Corporation" md5="01c3346c241652f43aed8e2149881bfe" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="502272" is="0" gfp="">c:\windows\system32\winlogon.exe</Process>
<Process ex="1" pid="760" nam="Services and Controller app (services.exe)" pub="Microsoft Corporation" md5="c6ce6eec82f187615d1002bb3bb50ed4" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="108032" is="0" gfp="">c:\windows\system32\services.exe</Process>
<Process ex="1" pid="772" nam="LSA Shell (lsass.exe)" pub="Microsoft Corporation" md5="84885f9b82f4d55c6146ebf6065d75d2" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="13312" is="0" gfp="">c:\windows\system32\lsass.exe</Process>
<Process ex="1" pid="924" nam="Generic Host Process for Win32 Services (svchost.exe)" pub="Microsoft Corporation" md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="14336" is="0" gfp="">c:\windows\system32\svchost.exe</Process>
<Process ex="1" pid="1004" nam="Generic Host Process for Win32 Services (svchost.exe)" pub="Microsoft Corporation" md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="14336" is="0" gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="1100" nam="Generic Host Process for Win32 Services (svchost.exe)" pub="Microsoft Corporation" md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="14336" is="0" gfp="">c:\windows\system32\svchost.exe</Process>
<Process ex="1" pid="1172" nam="Generic Host Process for Win32 Services (svchost.exe)" pub="Microsoft Corporation" md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="14336" is="0" gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="1288" nam="Generic Host Process for Win32 Services (svchost.exe)" pub="Microsoft Corporation" md5="8f078ae4ed187aaabc0a305146de6716" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="14336" is="0" gfp="">C:\WINDOWS\system32\svchost.exe</Process>
<Process ex="1" pid="1540" nam="Windows Explorer (explorer.exe)" pub="Microsoft Corporation" md5="a0732187050030ae399b241436565e64" ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="1032192" is="0" gfp="">c:\windows\explorer.exe</Process>
<Process ex="1" pid="1556" nam="Common Client Settings Manager Service (ccsetmgr.exe)" pub="Symantec Corporation" md5="72258d9e8d26a9b498b3b3654ccb6721" ver="2.1.6.3" sz="235120" is="0" gfp="">c:\program files\common files\symantec shared\ccsetmgr.exe</Process>
<Process ex="1" pid="1632" nam="Common Client Event Manager Service (ccevtmgr.exe)" pub="Symantec Corporation" md5="f5f81ca6605853252f2c1950cb994de0" ver="2.1.6.3" sz="255600" is="0" gfp="">c:\program files\common files\symantec shared\ccevtmgr.exe</Process>
<Process ex="1" pid="1796" nam="Spooler SubSystem App (spoolsv.exe)" pub="Microsoft Corporation" md5="7435b108b935e42ea92ca94f59c8e717" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="57856" is="0" gfp="">c:\windows\system32\spoolsv.exe</Process>
<Process ex="1" pid="584" nam="iTouch Application (itouch.exe)" pub="Logitech Inc." md5="2e2400a4341e891abffa553bfd39161b" ver="2.20.243" sz="892928" is="0" gfp="">c:\program files\logitech\itouch\itouch.exe</Process>
<Process ex="1" pid="604" nam="Common Client User Session (ccapp.exe)" pub="Symantec Corporation" md5="8e322bf0b350b94f9edf40c6cc754be9" ver="2.1.6.3" sz="68768" is="0" gfp="">c:\program files\common files\symantec shared\ccapp.exe</Process>
<Process ex="1" pid="636" nam="Run a DLL as an App (rundll32.exe)" pub="Microsoft Corporation" md5="da285490bbd8a1d0ce6623577d5ba1ff" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="33280" is="0" gfp="">c:\windows\system32\rundll32.exe</Process>
<Process ex="1" pid="652" nam="Realtek Sound Manager (soundman.exe)" pub="Realtek Semiconductor Corp." md5="58ada3beefe33fb8e4875a7848b1fae4" ver="5.1.0.24" sz="65024" is="0" gfp="">c:\windows\soundman.exe</Process>
<Process ex="1" pid="680" nam="Microsoft AntiSpyware Service (gcasserv.exe)" pub="Microsoft Corporation" md5="e519945deb3875341d36db0ea141e0c5" ver="1.00.0509" sz="473920" is="0" gfp="">c:\program files\microsoft antispyware\gcasserv.exe</Process>
<Process ex="1" pid="736" nam="Virtual DAEMON Manager (daemon.exe)" pub="DAEMON'S HOME" md5="804fbb66ec6ca862b840d173efc638a7" ver="3.47.0.0" sz="81920" is="0" gfp="">c:\program files\d-tools\daemon.exe</Process>
<Process ex="1" pid="840" nam="CTF Loader (ctfmon.exe)" pub="Microsoft Corporation" md5="24232996a38c0b0cf151c2140ae29fc8" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="15360" is="0" gfp="">c:\windows\system32\ctfmon.exe</Process>
<Process ex="1" pid="940" nam="Logitech Events Handler Application (em_exec.exe)" pub="Logitech Inc." md5="3678463d8ecb6cf3c25ac2f085711461" ver="9.79.019" sz="37888" is="0" gfp="">c:\program files\logitech\mouseware\system\em_exec.exe</Process>
<Process ex="1" pid="1348" nam="Microsoft AntiSpyware Data Service (gcasdtserv.exe)" pub="Microsoft Corporation" md5="ebb4d674ec5c5b34ef8a1ba14676de8e" ver="1.00.0509" sz="752456" is="0" gfp="">c:\program files\microsoft antispyware\gcasdtserv.exe</Process>
<Process ex="1" pid="1588" nam="Norton AntiVirus Auto-Protect Service (navapsvc.exe)" pub="Symantec Corporation" md5="106188ee7fce8c769defec27c1edb67c" ver="10.00.2" sz="158848" is="0" gfp="">c:\program files\norton antivirus\navapsvc.exe</Process>
<Process ex="1" pid="1912" nam="Norton Protection Status (nprotect.exe)" pub="Symantec Corporation" md5="4914a155f9b73317b14f94bba4a79639" ver="16.00.0.22" sz="135168" is="0" gfp="">c:\program files\norton antivirus\advtools\nprotect.exe</Process>
<Process ex="1" pid="196" nam="NVIDIA Driver Helper Service, Version 66.93 (nvsvc32.exe)" pub="NVIDIA Corporation" md5="190bf982638e4a0c98b334a39e50fb9f" ver="6.14.10.6693" sz="127043" is="0" gfp="">c:\windows\system32\nvsvc32.exe</Process>
<Process ex="1" pid="260" nam="Symantec AntiVirus Scanner (savscan.exe)" pub="Symantec Corporation" md5="de337e8649e1970c5663999457a9352f" ver="" sz="194272" is="0" gfp="">c:\program files\norton antivirus\savscan.exe</Process>
<Process ex="1" pid="392" nam="Symantec Core Component (symlcsvc.exe)" pub="Symantec Corporation" md5="d0edae81c1e1ccd7e711286eefe9de57" ver="1, 8, 48, 77" sz="585728" is="0" gfp="">c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe</Process>
<Process ex="1" pid="460" nam="Windows User Mode Driver Manager (wdfmgr.exe)" pub="Microsoft Corporation" md5="c81b8635dee0d3ef5f64b3dd643023a5" ver="5.2.3790.1230 built by: DNSRV(bld4act)" sz="38912" is="0" gfp="">C:\WINDOWS\system32\wdfmgr.exe</Process>
<Process ex="1" pid="988" nam="Norton Security Center Service (symwsc.exe)" pub="Symantec Corporation" md5="67c5af84809468061121fbcbecb19285" ver="2005.1.2.20" sz="316544" is="0" gfp="">c:\program files\common files\symantec shared\security center\symwsc.exe</Process>
<Process ex="1" pid="2472" nam="Application Layer Gateway Service (alg.exe)" pub="Microsoft Corporation" md5="f1958fbf86d5c004cf19a5951a9514b7" ver="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" sz="44544" is="0" gfp="">C:\WINDOWS\system32\alg.exe</Process>
<Process ex="1" pid="3176" nam="Microsoft Outlook (outlook.exe)" pub="Microsoft Corporation" md5="a5fe6efea88c04c1bdd7b359e7b9d153" ver="10.0.6626" sz="47816" is="0" gfp="">c:\progra~1\micros~2\office10\outlook.exe</Process>
<Process ex="1" pid="3244" nam="Microsoft Word (winword.exe)" pub="Microsoft Corporation" md5="5037815a126528e1c6efd32901cebd42" ver="10.0.6754" sz="10635976" is="0" gfp="">c:\program files\microsoft office\office10\winword.exe</Process>
<Process ex="1" pid="3304" nam="Microsoft AntiSpyware Main (giantantispywaremain.exe)" pub="Microsoft Corporation" md5="f0b4af2924697573e893d76229ff48d8" ver="1.00.0509" sz="4586320" is="0" gfp="">c:\program files\microsoft antispyware\giantantispywaremain.exe</Process>
<Process ex="1" pid="4072" nam="The Sims 2 University (sims2ep1.exe)" pub="Maxis, a division of Electronic Arts Inc." md5="6bc08714840be2b7bd686a9bda128d8f" ver="1.1.0.230" sz="15757472" is="0" gfp="">c:\program files\ea games\the sims 2 university\tsbin\sims2ep1.exe</Process>
<Process ex="1" pid="208" nam="Cleanup (~e5.0001)" pub="Macrovision Europe Ltd." md5="e938e405ae9a06c0baae369d9043237c" ver="1, 0, 0, 1" sz="73276" is="0" gfp="">c:\docume~1\lotus\locals~1\temp\~e5.0001</Process>
<Process ex="1" pid="3748" nam="Internet Explorer (iexplore.exe)" pub="Microsoft Corporation" md5="e7484514c0464642be7b4dc2689354c8" ver="6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)" sz="93184" is="0" gfp="">c:\program files\internet explorer\iexplore.exe</Process>
<Process ex="1" pid="3716" nam="Microsoft AntiSpyware Main (giantantispywaremain.exe)" pub="Microsoft Corporation" md5="f0b4af2924697573e893d76229ff48d8" ver="1.00.0509" sz="4586320" is="0" gfp="">c:\program files\microsoft antispyware\giantantispywaremain.exe</Process>
<Process ex="1" pid="3740" nam="Microsoft Suspected Spyware Reporting Tool (msssrt.exe)" pub="Microsoft Corporation" md5="7ed5a4f71d669274adceeca2338ab28d" ver="1.00.0509" sz="400192" is="0" gfp="">c:\program files\microsoft antispyware\msssrt.exe</Process>
</Processes>
</ProcessesAudit>
</Audit>
</MSSSRT>

Buckeye_Sam

Well unfortunately that log doesn't really point out the issue. Other than the scan, are you experiencing any problems?

Please post a new hijackthis log.

lotus79

There aren't any visible spyware symptoms, just the random-ish scan findings. At first ad windows were spawning every ten seconds or so, but disabling elitedun stopped that, and now that seems to be gone.

The scans seem to offset each other; fix the searchmiracle HJT entries, then MSAS finds browser hijack. Fix browser hijack, and searchmiracle is back. Ad nauseum.

Here's the current log, after fixing the browser hijack:


Logfile of HijackThis v1.99.1
Scan saved at 01:06:23, on 01/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

What I think is happening is that MS Antispyware is reacting to a change in your home page, even though it's one that we need to make. Then we have MS antispyware fix the problem it restores what it thinks should be your home page - searchmiracle.com

Uninstall MS antispyware, fix the R1 lines with hijackthis. Then reinstall MS antispyware and rescan.

lotus79

That seems to have fixed it, though I had to uninstall it twice (it left the settings behind the first time, so I had to go in and get them manually). If only MSAS had told me what it was finding we probably would have fixed that a lot quicker! Doesn't seem very useful as a program, so far.

Thankyou so very much for your help! Do you know of any freeware antispy programs that have realtime protection? Not very impressed with MSAS, since it didn't even manage to block the infection in the first place, which is what I installed it for.

Here's the latest HJT log, just to be sure:

Logfile of HijackThis v1.99.1
Scan saved at 13:46:27, on 01/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lotus\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emailcash.com.au
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Cheers,
Sarah

Buckeye_Sam

Check out Spybot.
http://www.safer-networking.org/en/index.html


Your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Renable system restore with instructions from tutorial above
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.