Jump to content


Photo

hijacked search page


  • Please log in to reply
3 replies to this topic

#1 fevans636

fevans636

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 10:37 AM

hi - first time = same as rest on home page redirect by cool web search
ran ad-ware and it cleaned out what it found - ran spybot to clean up what could 2 items wouldn't clean (even on reboot) -DSO exploit, Cydoor, and DownloadWare.
2 files in running process Fey and 4etJRRK ? - they and their dll in folder c:D$S/(user)/Local Settings/temp

Hijack log attached:
Logfile of HijackThis v1.98.0
Scan saved at 10:16:27 AM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ntwx.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\LVCOMS.EXE
C:\documents and settings\fred_2\local settings\temp\Fey.exe
C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\documents and settings\fred_2\local settings\temp\Fey.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\acpme.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (c:\Program Files\Netscape\Users\fred\prefs.js)
O2 - BHO: (no name) - {0678BD57-7926-2CB9-09D4-78CBB306F3AF} - C:\WINDOWS\system32\iedw32.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iega32.exe] C:\WINDOWS\system32\iega32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [3EQZ2SS4FBFK2Q] C:\WINDOWS\System32\NwuD1.exe
O4 - HKLM\..\Run: [Fey.exe] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\Run: [4etJRKK.exe] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [4etJRKK] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [appyl32.exe] C:\WINDOWS\system32\appyl32.exe
O4 - HKLM\..\Run: [AutoLoaderp0pr1JclZJPN] "C:\WINDOWS\System32\per_disp.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [p76X37h] per_disp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Fey] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunOnce: [ntwx.exe] C:\WINDOWS\ntwx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdb: C:\PROGRA~1\INTERN~1\PLUGINS\npchime.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .thp: c:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yim...ctl_0_0_0_1.ocx

thanks in advance for help
Fred Evans

#2 Schadenfroh

Schadenfroh

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 08 July 2004 - 10:49 AM

try CWShredder

these look suspecious to me

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\acpme.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Fey.exe] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\Run: [4etJRKK.exe] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [4etJRKK] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [AutoLoaderp0pr1JclZJPN] "C:\WINDOWS\System32\per_disp.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [p76X37h] per_disp.exe
O4 - HKLM\..\Run: [Fey] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)

suspecious but unsure of the following
O4 - HKLM\..\RunOnce: [ntwx.exe] C:\WINDOWS\ntwx.exe

you are also infected with a new CWS variant. see this thread for details

Edited by Schadenfroh, 08 July 2004 - 10:50 AM.


#3 fevans636

fevans636

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 11:09 AM

Forgot to mention all windows updates current, CS shredder attached:

CWShredder v1.59.1 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.or.../hijackthis.zip
http://www.spywarein.../hijackthis.zip

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\System32
AppData folder: C:\Documents and Settings\Fred_2\Application Data
Username: Fred_2

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (5167 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (728 bytes, A)

- END OF REPORT -
Thanks again

#4 fevans636

fevans636

    Member

  • New Member
  • Pip
  • 4 posts

Posted 08 July 2004 - 03:58 PM

downloaded and ran Trojan hunter - log attached - also attached is HIJack log - made no adjustments on it. Still got page hijacked.
----------TrojanHunter scan
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\WINDOWS\SYSTEM32\msrv32.exe (Add to ignore list)
Found possible trojan file: C:\WINDOWS\SYSTEM32\msrv32.exe (Suspicious: UPX-packed file in Windows System folder) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ntwx.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\msvg.exe (Add to ignore list)
Found trojan file: C:\Program Files\MGI\MGI PhotoSuite II\System\Randomize.dll (Ralpha.100)
Warning: Unable to unpack UPX-packed file C:\Temp Dwnload\AdbeRdr60_enu_full.exe (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP2\A0000278.exe/aa8A2.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP39\A0003063.exe/ZEhjuw.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP47\A0004924.exe/oT9W.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found possible trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP47\A0006042.exe/G2u.exe (Possible trojan downloader) (What's a possible trojan file?) (Submit for analysis...) (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013881.exe (Nbx.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013883.exe (Luxi.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013884.exe (Luxi.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013885.exe (Luxi.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013887.exe (Nbx.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013895.exe (Nbx.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013896.exe (Nbx.100)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP55\A0013897.exe (Nbx.100)
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP62\A0016349.exe (Add to ignore list)
Found trojan file: C:\System Volume Information\_restore{5027C63E-FD44-4AB2-886C-02A0E41ADD14}\RP62\A0016400.exe (Nbx.100)
Warning: Unable to unpack UPX-packed file C:\TEMP\AdbeRdr60_enu_full.exe (Add to ignore list)
10 trojan files found
5 possible trojan files found
----------Hijack log
Logfile of HijackThis v1.98.0
Scan saved at 3:56:54 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ntwx.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\LVCOMS.EXE
C:\documents and settings\fred_2\local settings\temp\Fey.exe
C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\documents and settings\fred_2\local settings\temp\Fey.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://acpme.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\acpme.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...archbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\acpme.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://acpme.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (c:\Program Files\Netscape\Users\fred\prefs.js)
O2 - BHO: (no name) - {0678BD57-7926-2CB9-09D4-78CBB306F3AF} - C:\WINDOWS\system32\iedw32.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.0000.2693\en-us\msntb.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVCOMS.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iega32.exe] C:\WINDOWS\system32\iega32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [3EQZ2SS4FBFK2Q] C:\WINDOWS\System32\NwuD1.exe
O4 - HKLM\..\Run: [Fey.exe] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\Run: [4etJRKK.exe] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [4etJRKK] C:\documents and settings\fred_2\local settings\temp\4etJRKK.exe
O4 - HKLM\..\Run: [appyl32.exe] C:\WINDOWS\system32\appyl32.exe
O4 - HKLM\..\Run: [AutoLoaderp0pr1JclZJPN] "C:\WINDOWS\System32\per_disp.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [p76X37h] per_disp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Fey] C:\documents and settings\fred_2\local settings\temp\Fey.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 3.9\THGuard.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunOnce: [ntwx.exe] C:\WINDOWS\ntwx.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~6\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .pdb: C:\PROGRA~1\INTERN~1\PLUGINS\npchime.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .thp: c:\Program Files\Internet Explorer\Plugins\NPLM32.DLL
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yim...ctl_0_0_0_1.ocx




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button