• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
jlhough

Spybot & Adaware Missed These - Why?

8 posts in this topic

I've had big problems with crapware hijacks, and found Tom Coyote on the web. Great website! I plan to donate to it. Also to SWI.

 

I've been running spybot S&D Spywatch and Adaware 6 Plus, CWShredder, and at least a half dozen other trialware spyware programs. They've helped, but still left me with this infected HiJackTjis logfile.

 

I can spot at least a half dozen, perhaps more entries that could be fixed, but before I do I wanted to post them FYI, so that perhaps the next database might catch the culprit(s).

 

I'd appreciate your help with a donation. Spybot is a nice product. I also have some questions about how safe it is to run Adwatch and Spywatch at the same time, or if that is needed.

 

Thanks.

 

Jere

 

Here my infected, but improved logfile:

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 5:14:45 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\notepad.exe

C:\HJT\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1048

O1 - Hosts: 209.66.123.175 admin.promaxhost.com

O1 - Hosts: 209.66.123.175 tds.alekshost.com

O1 - Hosts: 209.66.123.175 tds.bgporn.com

O1 - Hosts: 209.66.123.175 redfuck.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2867D349-3621-4749-83BB-576BA1A6FF02} - (no file)

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\System32\adsubtb.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Skyscape smARTupdate.lnk = Common Files\Skyscape\smARTupdate.exe

O4 - Startup: BJ Status Monitor Canon i950.lnk = ?

O4 - Startup: Webshots.lnk = Webshots\WebshotsTray.exe

O4 - Startup: AdSubtract.lnk = interMute\AdSubtract\AdSub.exe

O4 - Global Startup: Microsoft Office.lnk = Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360

O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361

O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4...49%5A/find.html (file missing)

O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C05F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4.../antivirus.html (file missing)

O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C05F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4...%49%5A/ggo.html (file missing)

O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C05F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4...%5A/warning.htm (file missing)

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4.../topsearch.html (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://www.liveupdate.com/controls/getcab2.dll

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18895ac0999e7caa1202/...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

O18 - Filter: text/html - {3C83F608-A546-4D06-8D86-9DB0AE901FCD} - C:\WINDOWS\System32\ghg.dll

O18 - Filter: text/plain - {3C83F608-A546-4D06-8D86-9DB0AE901FCD} - C:\WINDOWS\System32\ghg.dll

Share this post


Link to post
Share on other sites

Not a pretty log :p

 

Ok download About:Buster 1.26. Save it to your desktop and unzip it.

 

Reboot into safe mode - Directions

Run About:Buster in safe mode. Once you are done tick the boxes in Hijack This next to these items.

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O1 - Hosts: 209.66.123.175 admin.promaxhost.com

O1 - Hosts: 209.66.123.175 tds.alekshost.com

O1 - Hosts: 209.66.123.175 tds.bgporn.com

O1 - Hosts: 209.66.123.175 redfuck.com

O2 - BHO: (no name) - {2867D349-3621-4749-83BB-576BA1A6FF02} - (no file)

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - c:\windows\iehr.dll

O18 - Filter: text/html - {3C83F608-A546-4D06-8D86-9DB0AE901FCD} - C:\WINDOWS\System32\ghg.dll

O18 - Filter: text/plain - {3C83F608-A546-4D06-8D86-9DB0AE901FCD} - C:\WINDOWS\System32\ghg.dll

 

Then delete C:\WINDOWS\System32\ghg.dll if found.

This should remove the main infection :). Restart normally, scan with Hijack This, and post a new log.

Share this post


Link to post
Share on other sites

OK. I did everything as you directed, and still appear to have problems. I connect to the internet via a home networking LAN that is always on. After I fix things and reboot, I get messages from AdWatch and SB-resident that changes are being requested, like an ADAware value deleted - Allow or deny. I'm not sure whcih to do. Some look OK, and others don't.

 

Here my latest logfile after doing a couple about buster scans, which seemed to catch different culprits each time. It looks fairly clean now, but I doubt it will stay that way:

 

Logfile of HijackThis v1.98.0

Scan saved at 10:19:03 AM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1074

O2 - BHO: (no name) - {0219B28F-F9E5-43C6-9504-A3B3EC46144E} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2867D349-3621-4749-83BB-576BA1A6FF02} - (no file)

O2 - BHO: (no name) - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {677E31E3-43FC-4355-AED0-1680BD684B5F} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\System32\adsubtb.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Skyscape smARTupdate.lnk = Common Files\Skyscape\smARTupdate.exe

O4 - Startup: BJ Status Monitor Canon i950.lnk = ?

O4 - Startup: Webshots.lnk = Webshots\WebshotsTray.exe

O4 - Startup: AdSubtract.lnk = interMute\AdSubtract\AdSub.exe

O4 - Global Startup: Microsoft Office.lnk = Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360

O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361

O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4...49%5A/find.html (file missing)

O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C05F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4.../antivirus.html (file missing)

O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C05F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4...%49%5A/ggo.html (file missing)

O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C05F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4...%5A/warning.htm (file missing)

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4.../topsearch.html (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18895ac0999e7caa1202/...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

 

Thanks for your help.

 

Jere

Share this post


Link to post
Share on other sites

I ran about buster, adaware and spybot again. Spybot again reported DSO exploie. Adaware caught CWS about blank again. Removed them and ran this latest HiJackThis log. Any help appreciated. Will make donation when fixed.

 

Logfile of HijackThis v1.98.0

Scan saved at 11:35:19 AM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\HJT\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\pollymc\LOCALS~1\Temp\sp.html

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1052

O2 - BHO: (no name) - {0219B28F-F9E5-43C6-9504-A3B3EC46144E} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {2867D349-3621-4749-83BB-576BA1A6FF02} - (no file)

O2 - BHO: (no name) - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {677E31E3-43FC-4355-AED0-1680BD684B5F} - (no file)

O2 - BHO: (no name) - {88705DEF-F518-4215-9C87-08678C6D3054} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\System32\adsubtb.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autofix /autoclose

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Skyscape smARTupdate.lnk = Common Files\Skyscape\smARTupdate.exe

O4 - Startup: BJ Status Monitor Canon i950.lnk = ?

O4 - Startup: Webshots.lnk = Webshots\WebshotsTray.exe

O4 - Startup: AdSubtract.lnk = interMute\AdSubtract\AdSub.exe

O4 - Global Startup: Microsoft Office.lnk = Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360

O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361

O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4...49%5A/find.html (file missing)

O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C05F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4.../antivirus.html (file missing)

O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C05F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4...%49%5A/ggo.html (file missing)

O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C05F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4...%5A/warning.htm (file missing)

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4.../topsearch.html (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18895ac0999e7caa1202/...ip/RdxIE601.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

Share this post


Link to post
Share on other sites

Jlhough,

 

If you have not already done so, disable the System Restore utility. This may

be the cause of certain DSO exploits coming back (there are several

in all versions of Windows by default). They won't really bother anything being

in there but if you want to remove all traces of them, then you will need to disable

system restore. To do this, (you will need administrator privileges), right click

on "My Computer" and choose "Properties". Then, click on the "System Restore"

tab. Put a checkmark in the checkbox in that tabbed window to disable system

restore and hit "Apply". It may take several 10's of seconds for the pointer to

revert from the hourglassed appearance due to the system restore points that

have been created since you installed Windows XP (this is normal).

 

Regards,

Sharizod

Edited by Sharizod

Share this post


Link to post
Share on other sites

I've disabled system restore a couple of time this past week during this malware search process.

 

I still need someone to look at my last logfiles for suggestions on what to have HJT fix.

Share this post


Link to post
Share on other sites

OK, After removal during safe mode, reboot, rescan, this is what I get. But I still have many problems, and spend all my time closing alert boxes, and even get popups touting spyware removal tools (like I'd really buy something from them... DUH!)

 

 

Logfile of HijackThis v1.98.0

Scan saved at 3:50:06 PM, on 7/11/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

C:\WINDOWS\System32\wfxsnt40.exe

C:\WINDOWS\SYSTEM32\USRshutA.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\SYSTEM32\USRmlnkA.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Skyscape\smARTupdate.exe

C:\Program Files\Webshots\WebshotsTray.exe

C:\Program Files\interMute\AdSubtract\AdSub.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\cnmsm4d.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Office\Office\OUTLOOK.EXE

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll

O3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINDOWS\System32\adsubtb.dll

O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe

O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - Startup: PowerReg SchedulerV2.exe

O4 - Startup: Skyscape smARTupdate.lnk = Common Files\Skyscape\smARTupdate.exe

O4 - Startup: BJ Status Monitor Canon i950.lnk = ?

O4 - Startup: Webshots.lnk = Webshots\WebshotsTray.exe

O4 - Startup: AdSubtract.lnk = interMute\AdSubtract\AdSub.exe

O4 - Startup: SpywareGuard.lnk = SpywareGuard\sgmain.exe

O4 - Global Startup: WinZip Quick Pick.lnk = WinZip\WZQKPICK.EXE

O4 - Global Startup: Microsoft Office.lnk = Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360

O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361

O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359

O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\windows\downloaded program files\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B1} - http://www001.upp.so-net.ne:3128@DF809JOW4...49%5A/find.html (file missing)

O9 - Extra button: ANTIVIRUS - {0B5F1910-F111-11d2-BB9E-00C05F7956B2} - http://www001.upp.so-net.ne:3128@DF809JOW4.../antivirus.html (file missing)

O9 - Extra button: ENTERTAINMENT - {0B5F1910-F111-11d2-BB9E-00C05F7956B3} - http://www001.upp.so-net.ne:3128@DF809JOW4...%49%5A/ggo.html (file missing)

O9 - Extra button: SECURITY - {0B5F1910-F111-11d2-BB9E-00C05F7956B4} - http://www001.upp.so-net.ne:3128@DF809JOW4...%5A/warning.htm (file missing)

O9 - Extra button: SEARCH - {0B5F1910-F111-11d2-BB9E-00C05F7956B5} - http://www001.upp.so-net.ne:3128@DF809JOW4.../topsearch.html (file missing)

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll

O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://www.download.com

O15 - Trusted Zone: *.ebay.com

O15 - Trusted Zone: *.photobucket.com

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll

O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab

O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://www.sunterra.com/downloads/svh/svideo3.cab

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0