Scan saved at 4:22:33 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JIMCRU~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TrustSoftAntiSpyware] C:\Program Files\TrustSoft AntiSpyware\TrustSoftAntiSpyware.exe /STARTUP
O4 - HKLM\..\RunOnce: [MSINET.OCX] regsvr32.exe /s C:\WINDOWS\system32\MSINET.OCX
O4 - HKLM\..\RunOnce: [MSCOMCTL.OCX] regsvr32.exe /s C:\WINDOWS\system32\MSCOMCTL.OCX
O4 - HKLM\..\RunOnce: [msscript.ocx] regsvr32.exe /s C:\WINDOWS\system32\msscript.ocx
O4 - HKLM\..\RunOnce: [CCRPPRG6.OCX] regsvr32.exe /s C:\WINDOWS\system32\CCRPPRG6.OCX
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Jim Crumbock"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "Jim Crumbock"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0153B313-673A-1F7C-1B12-3AED646997AF} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {0A8B5103-4EAC-2C69-5068-06F90750ABFA} - http://66.230.175.129/1/gdnUS2047.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.goldenram...detect.cab?8044
O16 - DPF: {114AA3BE-BD66-578F-838E-3C4C14F19867} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {1396FF3D-9877-0047-7770-19261F4268A3} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {13ADD035-36CD-6564-73E0-55FA74441287} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1917D5CA-5B1C-74CD-43EC-3B0D17C245BD} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {1B1EF257-DA1B-7016-CD0D-499A77AD667F} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {1BD4386B-1277-609C-7170-48805E409B40} - http://66.230.175.129/1/gdnUS1384.exe
O16 - DPF: {1C9353E4-C651-2D02-3E96-2D177A0E2C03} - http://66.230.175.129/1/gdnUS2161.exe
O16 - DPF: {1C97C226-DB13-184B-6912-541801E4D906} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {1CB4F464-F403-4DED-5B75-12AB2417EE17} - http://66.230.175.129/1/gdnUS2047.exe
O16 - DPF: {1D6E3B6C-35E7-63F7-CF13-40333CAE4369} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {20CD1FA0-6AFA-0691-E4CF-4BB230E248AC} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {2170805B-13B4-1ABA-B3D2-12061B1C24EC} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...cm/ICSCM_ca.cab
O16 - DPF: {235EC782-6AED-0F6A-4C8C-08FE7FEB6370} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {2C452710-2864-0C15-E591-05751606FF48} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {2C6E53B2-C031-06E5-AB6D-00B1308DEAD4} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {2FC95D0B-B5F6-2276-7974-402257270CC0} - http://66.230.175.129/1/gdnUS1384.exe
O16 - DPF: {30FF76FE-E959-656F-BCBF-31472BE78205} - http://66.230.175.129/1/gdnUS1384.exe
O16 - DPF: {34766365-5F85-055A-2400-764663450C0D} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {36E11D4A-D9D0-34E1-2396-4F342E70EEB7} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://www.imgag.com...stall/AxCtp.cab
O16 - DPF: {39825F4B-DC05-3FE5-1783-0735609868C6} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3A1E1FB8-1482-749D-ED08-4CC2027E7039} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3A697046-3705-0E52-C678-73350C1FA03F} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3B9103CA-8F77-1EE7-7AB9-30B1517F2C8B} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3C8348DD-BC92-1ABE-7913-2D6F79BCA9DD} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3DA63FBE-61D9-55AB-2B59-66482CE07C36} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {3E677ED9-698E-7D65-A6D9-584461700E8A} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {40C5EFF6-4C07-27E0-B695-28A74B45884B} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {432FE8C7-A1A0-226F-0A67-287B5F15CC71} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {438C8C41-CC88-3742-11DB-6A712373A49A} - http://66.230.175.129/1/gdnUS1384.exe
O16 - DPF: {4454FFF2-879E-7C14-12A1-338823CC5052} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {4668BC90-0944-07AE-18A7-76B8056DF7EF} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {48538AE1-AC48-449C-3F7E-3B4E00CF67D9} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {4B26C57D-1C52-385C-2261-7D0E0C7AA48B} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {4C1BB238-E2D5-6DFD-AAC4-5B1D1C516F7A} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {4F28DBA8-2515-1792-71B4-1F476EB72958} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {5006FBBD-404C-12A6-BA4F-15942080123A} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {5073C7DF-68FF-0675-3390-0DB744845E1E} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {50AFCD9C-5172-471A-5948-2460296157AA} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {50DBE7E1-54DF-052B-EB85-564F6F87F753} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {527196A4-B1A3-4647-931D-37BA5AF23037} - http://highconvert.c...s/dimpy/bot.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {5643F805-0554-0493-587B-2A31697F744F} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {565D4ADA-1BE9-4FAA-5214-15E959CCE023} - http://66.230.175.129/1/gdnUS1384.exe
O16 - DPF: {56D911B8-6BDC-5DE7-327B-614D465D2BAF} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {5F5658A7-CB0A-4870-BF08-6C636B4C0A46} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {604CE36D-4829-7B5C-BB34-382C74C2507D} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {61C99043-1C47-31FE-DD4C-26073E3EE6E7} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {66D3B5C5-6229-2A33-2429-648B62915E3F} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {68066CCC-21AB-08B0-FD9B-7C443E092759} - http://66.230.175.129/1/gdnUS2161.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126269047389
O16 - DPF: {72505842-29A3-7B7E-E682-28E065325243} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {72BDEA44-B0D6-1748-CDC4-123B38B57D68} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {759D0793-BEE6-0C7F-5896-655814B9CF8C} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {77090158-B041-2A62-030C-15D87D0AEC0D} - http://69.50.173.166/1/rdgUS2156.exe
O16 - DPF: {78BFEEB1-51E5-1436-2039-5E9A18F61AC7} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {79243B12-3E29-6CA3-C0E0-5490042A14CA} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {7AB89D8C-8A12-030C-5D5E-5B0831704CDB} - http://69.50.173.166/1/gdnUS2050.exe
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC899} - http://www.kogalu.co...rnz/chatter.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://www.imgag.com...tall/AxCtp2.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://www.imgag.com...all/Crusher.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.micro...jects/ocget.dll
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://www.content-l...ad/ccaccess.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...613/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay10...ex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
I do not know if this the right place to post my hijack this log for help. My browser is slow to react. I have performed all scans but it still seems slower then normal. The last scan came up with a cws hijacker and I removed it at the end of the scan. I have seen hijack this mention quite often and it seems like the kind of help I can use to determine what I should remove and what I should keep.
Thank you for any help you can give me. Pap10