Jump to content


Photo

pop unders


  • Please log in to reply
4 replies to this topic

#1 J.Dangerously

J.Dangerously

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 July 2004 - 04:11 PM

Having problems with popups being served to my computer. I have run AAW, and S&D. AAW comes up clean, S&D always finds one that it says it has removed, but then it is back again when I rerun S&D.

Here is my HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 4:02:22 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\licensed\local settings\temp\hno.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\rcs\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\ptc\flexlm\i486_nt\obj\lmgrd.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\ptc\dataserver\oracle\bin\ORACLE.EXE
C:\ptc\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\System32\BxjFx8f.exe
C:\WINDOWS\System32\QbuIyY26.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - c:\windows\system32\ngsw31.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [hno.exe] C:\documents and settings\licensed\local settings\temp\hno.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [55DT8KZ34SPYJ3] C:\WINDOWS\System32\Kwz1Xc1b.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisu.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\rcs\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} (PlaceWare Presentation-Upload Control) - http://ebb.ops.place...loadControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\ptc\proeWildfire_2\i486_nt\obj\pvx_install.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7761.5298611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D15E09B2-2FC9-43FE-BE43-DE8F5C02778F}: NameServer = 151.161.1.7,151.161.1.8,128.101.101.101,134.84.84.84

#2 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 08 July 2004 - 07:19 PM

Hello,

Let's start with this: (This is for the Peper trojan)

Download the following File:
http://downloads.sub...rg/PeperFix.exe

Double CLick on it and press 'Find and Fix'.

The program will scan your hard drive for Peper file, move them, reboot, then delete them.

Run Hijackthis again and post a new log here.

#3 J.Dangerously

J.Dangerously

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 July 2004 - 09:44 PM

Thanks for the advice. Here is the new HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:40:00 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\QuickTime\qttask.exe
C:\documents and settings\licensed\local settings\temp\hno.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\rcs\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\ptc\flexlm\i486_nt\obj\lmgrd.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
c:\ptc\dataserver\oracle\bin\ORACLE.EXE
C:\ptc\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - c:\windows\system32\ngsw31.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [hno.exe] C:\documents and settings\licensed\local settings\temp\hno.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [55DT8KZ34SPYJ3] C:\WINDOWS\System32\Kwz1Xc1b.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisu.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\rcs\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} (PlaceWare Presentation-Upload Control) - http://ebb.ops.place...loadControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\ptc\proeWildfire_2\i486_nt\obj\pvx_install.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7761.5298611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D15E09B2-2FC9-43FE-BE43-DE8F5C02778F}: NameServer = 151.161.1.7,151.161.1.8,128.101.101.101,134.84.84.84

#4 Taz71498

Taz71498

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 225 posts

Posted 08 July 2004 - 10:09 PM

Hello,

Download Registrar Lite from here:
http://www.resplende...oad/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one -> {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ Notice the underscore at the end, It should be the first one.

Right click on it, and select delete.
If you get a confirmation question, respond OK then close out the program.

Now, do a Ctrl+Alt+Del and look to see if this process is running, if so End Task it:

hno.exe

Next, Go here and run this uninstaller http://www.puritysca.../uninstall.html

Search your hard disk for a file called PURITYSCAN.EXE. If you find it, delete it.


Run Hijackthis again with all browsers closed and check these items and then on Fix:

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - c:\windows\system32\ngsw31.dll

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [hno.exe] C:\documents and settings\licensed\local settings\temp\hno.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [55DT8KZ34SPYJ3] C:\WINDOWS\System32\Kwz1Xc1b.exe
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisu.exe

Reboot the computer into safe mode

Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Find and delete these files/folders:
C:\Program Files\TV Media <<<<<<<<Folder
C:\documents and settings\licensed\local settings\temp\hno.exe
C:\WINDOWS\System32\dp-k13w13.exe
C:\WINDOWS\System32\Kwz1Xc1b.exe
C:\WINDOWS\System32\wapisu.exe


Reboot and post a new Hijackthis log here.

#5 J.Dangerously

J.Dangerously

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 09 July 2004 - 11:55 AM

Thanks for the additional input. It looked like many of the executables were wiped out with the purityscan. Here is my new HJT Log:


Logfile of HijackThis v1.97.7
Scan saved at 11:52:33 AM, on 7/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\rcs\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\ptc\flexlm\i486_nt\obj\lmgrd.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
C:\ptc\fileserver\i486_nt\obj\nfsserv.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\ptc\dataserver\oracle\bin\ORACLE.EXE
C:\ptc\flexlm\i486_nt\obj\ptc_d.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.org/
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\rcs\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0369528B-3082-11D2-9997-00A0C9B7A242} (PlaceWare Presentation-Upload Control) - http://ebb.ops.place...loadControl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\ptc\proeWildfire_2\i486_nt\obj\pvx_install.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7761.5298611111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D15E09B2-2FC9-43FE-BE43-DE8F5C02778F}: NameServer = 151.161.1.7,151.161.1.8,128.101.101.101,134.84.84.84




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button