Jump to content


Photo

srss.exe/mxTarget.dll/WinUpdt.exe/polall1t.exe ETC


  • Please log in to reply
11 replies to this topic

#1 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 26 July 2004 - 06:58 AM

Fairly new to this sort of stuff. I did read the pre-post FAQ as requested. I have XP Pro and run Ad-aware and SpyBot with latest versions and latest reference files. I regularly run these two programs and after doing their thing they report my pc is clean. But after my Nortons 2004 AntiVirus recently did a full scan it reported I had a number of at-risk files which it could not delete. They included Comm.dll; msbb.exe; mxTarget.dll; polall1t.exe; preInsTT.exe; twaintec.dll; WinKA.exe; and WinUpdt.exe...some of them multiple copies. I also found srss.exe on my system which periodically keeps trying to get access to the Net and I was told it is probably a trojan.

My concern is that some or all of these may be 'nasties' that should be removed but I'm not game to try that without guidance (couched in simple terms <g>) from an informed/experienced person. (I tonight installed HijackThis after visiting this forum and seeing some of the comments, I can do the log file but not sure about how to do a startup log). I would appreciate advice as to whether I have a bad problem and I would welcome some assistance on how to clean up my pc...please. Thank you.

Edited by terrytturtle, 26 July 2004 - 07:02 AM.


#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 26 July 2004 - 01:16 PM

terrytturtle,

Make sure your HJT is in its own permanent folder:
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have C:\HJT\ folder.
Double-click on the .exe to scan.
Please post a HijackThis log.. After Scan, the Scan button changes to Save Log. Click that, save it somewhere. Do Ctrl-A to Select all, and then copy and paste it here.

Do an online scan at Housecall or Panda and then post a fresh HJT log as instructed above. Thanks!
Housecall: http://www.trendmicr.../enterprise.htm
Or Panda: http://www.pandasoft...n_principal.htm
Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

It would also help us if you, again, would report the names of all infections found. Thanks!
Microsoft MVP - Consumer Security

#3 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 03:57 AM

Hi Bugbatter, thank you for 'adopting' me. In the following order:

1. I ran Ad-aware and SpyBot. They both reported I had no threats.

2. I scanned with Nortons AntiVirus and it reported I had 6 at-risk files. (I don't know what happened to the other 16 it said I had yesterday <g>). Those at-risk files were identified as 2 x mxTarget.dll; 2 x polall1t.exe; 1 x preInsTT.exe and 1 x twaintec.dll.

3. I ran HijackThis and its log file is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 12:59:45 PM, on 27/07/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RegBackup.exe
C:\Program Files\AceLogix\StartupGuard\sg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\srss.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\HijackThis\HijackThis (Std vers).exe
C:\WINDOWS\notepad.exe
C:\Program Files\Quick View Plus\Program\QVP32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 127.98.9.1 pop.ozemail.com.au.b9
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Enfish Find... - {1F680408-B58A-40B0-A330-50A344786F97} - C:\Program Files\Enfish\Enfish Find\EtiFndBr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Auto Registry Backup] RegBackup.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows System Resource Service] srss.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
O4 - HKLM\..\Run: [WorkFlowTray] C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
O4 - HKLM\..\Run: [Opware14] C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
O4 - HKLM\..\Run: [OpScheduler] C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\TextBridge Pro 9.0\Bin\RegisterDropHandler.exe
O4 - HKLM\..\RunServices: [Windows System Resource Service] srss.exe
O4 - HKLM\..\RunServices: [Auto Registry Backup] RegBackup.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\TextBridge Pro 9.0\Bin\RegisterDropHandler.exe
O4 - HKCU\..\Run: [Startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe
O4 - HKCU\..\Run: [Slingshot Tray App] C:\Program Files\Enfish\Enfish Find\EtiTray.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Auto Registry Backup] RegBackup.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Windows System Resource Service] srss.exe
O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...4145ae90fecae62
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...udio/ChkDVD.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://instantsuppor...SWebManager.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0E12B-730B-4D8C-8664-E8B6F0EA1989}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: eti - {3AAE7392-E7AA-11D2-969E-00105A088846} - C:\Program Files\Enfish\Enfish Find\EtiPBrkr.dll


4. I ran Panda ActiveScan online scan and it reported 3 infected files. It disinfected 2 and left the following virus: Trj / Downloader.GK (at) C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI7BCD.tmp \ twaintec.cab[polall1t.exe].

5. I also ran HouseCall online scan. It reported the same non-cleanable file as Panda ActiveScan but said: "Unable to delete the infected entire contents of the compressed file: C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI7BCD.tmp \ twaintec.cab'iA. Do you want to delete the whole file?. I wasn't sure what to do so I clicked on "NO" and exited the program.

6. I re-scanned with Nortons and it reported the same 6 at-risk files I mentioned at para 2.

7. I re-scanned with HijackThis and that log file is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 4:36:55 PM, on 27/07/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RegBackup.exe
C:\Program Files\AceLogix\StartupGuard\sg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HijackThis\HijackThis (Std vers).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 127.98.9.1 pop.ozemail.com.au.b9
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Enfish Find... - {1F680408-B58A-40B0-A330-50A344786F97} - C:\Program Files\Enfish\Enfish Find\EtiFndBr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0\Monitor.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Auto Registry Backup] RegBackup.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\WinPortrait\wpctrl.exe
O4 - HKLM\..\Run: [WorkFlowTray] C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
O4 - HKLM\..\Run: [Opware14] C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
O4 - HKLM\..\Run: [OpScheduler] C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\TextBridge Pro 9.0\Bin\RegisterDropHandler.exe
O4 - HKLM\..\RunServices: [Auto Registry Backup] RegBackup.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\TextBridge Pro 9.0\Bin\RegisterDropHandler.exe
O4 - HKCU\..\Run: [Startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe
O4 - HKCU\..\Run: [Slingshot Tray App] C:\Program Files\Enfish\Enfish Find\EtiTray.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Auto Registry Backup] RegBackup.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...4145ae90fecae62
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...udio/ChkDVD.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://instantsuppor...SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0E12B-730B-4D8C-8664-E8B6F0EA1989}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: eti - {3AAE7392-E7AA-11D2-969E-00105A088846} - C:\Program Files\Enfish\Enfish Find\EtiPBrkr.dll

8. I also still have 'srss.exe' in my system which my pc shop tells me is a trojan.

9. I hope I have successfuly and properly provided all the information you requested and needed to help me clean my pc. Thank you for your interest in my problem. Terry

PS. Do you recommend installing trojan hunters and if so, for a mid-experienced pc user, would you recommend TrojanHunter or TDS. They seem to be the top ones I've seen reviewed on the Net. I would appreciate your comments because if these programs will help prevent me getting these infections I would spend the money just for the peace of mind. If the forum rules prevent you from recommending a product I understand.

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 27 July 2004 - 12:58 PM

Good work!
Before we go any further, make sure your computer is configured to view all folders/files:
Enable the "Show Hidden Folders" option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck the Hide Protected Operating System Files (recommended) option.
Click Yes to confirm.
Click OK

Run HJT with all other windows/browser closed and tick to fix these:
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...4145ae90fecae62


Reboot into Safemode and delete what is in bold text:
C:\Windows\System32\wsaupdater.exe
C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI7BCD.tmp \ twaintec.cab[polall1t.exe] <=TH17BCD and twaintec/polallit

Reboot normally.
Empty your Temporary Internet Files and history in Internet Options. And clean out your
%Userprofile%\Local Settings\Temp (User Profile: repeat for all users)

OR: Use the Disk Cleanup Utility to empty all your Temp folders

Empty your Recycle Bin.

After something like this it is a good idea to purge the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

When you scanned with Adaware did you have the most recent update (reference file 01R334 24.07.2004)?
The reason that I ask is because one of the things it now looks for is an item that you have the Active-x installer for.
You are fixing that in your HJT log, but I am wondering if there are any remnants that Adaware would pick up.

To answer your TrojanHunter question, I would suggest that you download the free trial version of TrojanHunter to see how you like it.
It will search for files that you can delete.: http://www.trojanhunter.com/
I could find no information on your srss.exe. Let's see if TrojanHunter finds it.

Keep up the good work! We're getting there!
Microsoft MVP - Consumer Security

#5 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 10:43 PM

1. Thank you for your quick reply. I did what you advised and it all went according to the script except for when I tried to complete the following:

Reboot into Safemode and delete what is in bold text:
C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI7BCD.tmp \ twaintec.cab[polall1t.exe] <=TH17BCD and twaintec/polallit

I didn’t find those file names as such in the folder but I did find 2 files just called ‘twaintec’ (one was a winzip file and the other was a setup info file). I deleted the ‘THI7BCD.tmp’ folder. Did I do the right thing?

2. You asked if I had the most recent Ad-aware update (reference file 01R334 24.07.2004)?” Yes, I have that reference, I got it the last time I updated Ad-aware.

3. After following your instructions, I ran Ad-aware and Spybot. They both said no threats found.

4. I ran Panda ActiveScan and it reported “No viruses have been found.”

5. I ran my Nortons AntiVirus, it said I had 2 at-risk files which it couldn’t delete and both files were ‘mxTarget.dll’ (Threat name: Adware.Binet). While I was in C:\Documents & Settings \ Terry \ Local Settings \ Temp \ to delete the ‘twaintec’ files I noticed 2 files called “mxTarget” (one was a zip file and the other a setup information file). I just left them alone. Do I need to do anything about them?

6. Re my suspect nasty ‘srss.exe’. I haven’t downloaded the demo TrojanHunter yet but I shall do so shortly (when I've got some spare minutes to install and sort out how to use a new program like this one). If it’s user friendly I’ll buy it. In the meantime, I did a Start > Search for ‘srss’ and it found: “SRSS>EXE – 16329BB1.pf (a 61 KB pf file) in C:Windows \ Prefetch”.

7. My pc shop advised me ‘srss.exe’ was a suspected trojan after they stumbled onto it via (I think) msconfig when checking something else and they deleted it but it re-appeared 30 seconds later. That’s when they said ask for help from this forum <g>. I ran msconfig > startup tab and the screen showed an entry for : srss.exe HKLM \ Software \ Microsoft \ Windows \ Current Ver… .

8. Any suggestions concerning mxTarget and srss.exe? Do you want me to post another HJT log?

9. You said: “Keep up the good work! We're getting there.” I can see that now and I'm not so stressed about these 'nasties' being in my pc, thanks to you!!!!

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 28 July 2004 - 11:05 AM

terrytturtle,

You are doing a great job so far. Keep up the good work!

It might be a good idea to print this so you can refer to it while working. It is not difficult, but it does require many steps that must be done in the order specified.

The twaintec problem can be confusing because there are two versions: One is associated with a Trojan, and the other is associted with adware. Nevertheless, you don't want either one.
From what I can see, you are the unfortunate owner of both!

The file in that temp folder is where the Trojan was. Good job deleting it!

To be sure the Trojan version is completely taken care of, also do this:

We will be working in the registry so, as always, make a backup first:
1. Click Start > Programs > Accessories > System Tools > Backup.
2. Click Advanced Mode.
3. On the Welcome tab, click the Backup Wizard (Advanced) button.
4. Click Next.
5. Select Only back up the System State data, and then click next.
6. Click the Browse button.
7. Click Cancel if the "Insert Disk" warning message pops up.
8. In the Save As dialog box, choose a location to save your registry back up.(Remember where!!)
9. Click Save.
10. Click Next.
11. Review the information in this window. Your Contents should say "Back up only the system state." Click Finish.
12. When the back up completes click Close.
13. Your registry is now backed up. You may close the Backup Utility window.

Once you have your backup of the registry saved,
do this (**Remember, the Trojan's and adware's registry entrires are in the backup, so IF you double-click on it, they will go right back into your computer!)
The backup is for emeregency only and can be deleted with one rt-click after the trojan/adware removal is successful.

Here we go:

1)Navigate to Drive C, Windows, and delete the following file if it exists as well
c:\windows\twaintec.dll

2) Close My Computer

3) Click on Start, Run, and type REGEDIT and press Enter

4) In the Registry Editor click the pluses(+) next to the following keys

* HKEY_LOCAL_MACHINE
* Software
* Twaintec

5) Right-click on the twaintec folder and click Delete to remove it.

Reboot. Empty the recycle bin.

--------------------

Now for the twaintec adware:

1) Click on Start, Settings, Control Panel

2) Open Add/Remove Programs

3) Select Twain-tech and click on Add/Remove

In the absence of an entry in ADD/REMOVE PROGRAMS, use the following steps to unregister and delete the program:

1) To permanently disable the software click "Start" and then "Run" and type the following command which unregisters the software:

regsvr32 c:\windows\twaintec.dll

2) To completely remove the software: reboot and then Find and Delete the file mxtarget.dl.

Empty the recycle bin again.

** If for any reason you cannot delete the twaintec file do it in Safemode.

Flush System Restore:
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)

Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

If all is well, go to where you saved that backup of the registry and carefully right-click on the backup reg file and chose Delete.
Empty the recycle bin again.

-------------
As far as srss.exe, if it is returning, there is a hidden file someplace that is causing this.
TrojanHunter usually can find these, so delete what it finds.

Then run anti-virus scans with your NAV and Panda because they can find different things.

When your PC is clean, clean temps again, empty the Recycle Bin again, and flush System Restore again.

At this point, post a fresh HJT log for final review and let me know how things are going. Thanks.
Microsoft MVP - Consumer Security

#7 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 28 July 2004 - 09:14 PM

Hi again BugBatter. I didn’t do so good this time, I couldn’t successfully process any of your instructions (other than backing up the registry <g>, but Hey, that’s a handy thing to learn and know how to do anyway).

Here is a summary of events:
_____________________

Navigate to Drive C, Windows, and delete the following file if it exists: c:\windows\twaintec.dll.

I did that but the file was not there.
______________________

In the Registry Editor click the pluses(+) next to the following keys * HKEY_LOCAL_MACHINE * Software * Twaintec.

I did that but the file was not there.

HOWEVER, while I was in the Registry I went Edit > Find > and typed in ‘twaintec’. The search showed in the right-hand pane: Name: 003 - Type: REG-SZ - Data: twaintec.

It also showed: 001 REG-SZ srss | 002 REG-SZ srss.exe | 004 REG-SZ mxTarget.dll. (and another file I’m starting to suspect:: 000 | REG-SZ RegBackup.exe).

All these entries were under: HKEY_USERS \ S-1-5-21-343818398 – 630328440 – 725345543 – 1003 \ Software \ Microsoft \ Search Assistant \ ACMru \ 5603.

Is this a nest of the bad buggers? I wasn’t game to delete anything in the Registry till I checked with you first so I did nothing! What do you suggest?
_______________

Look in Add/Remove Programs for Twain-tech.

I did that but the file was not there.
________________

To permanently disable twaintec, in Start > Run > type in ‘regsvr32 c:\windows\twaintec.dll’.

I did that and got a message that said “Loadlibrary [file path] failed. The specified module could not be found.” I moved on to the next step…
___________________

To completely remove the software: reboot and then Find and Delete the file mxtarget.dll.

I did Start > Search > selected All Files and Folders > typed in file name.

Nothing found for the .dll file.

I then did a Search for ‘mxtarget’ (only) and it returned 4 hits: 1 winzip file and 1 setup information file each in C:\Documents & Settings \ Terry \ Local Settings \ Temp AND in C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI4F3D.

As they didn’t say .dll, I wasn’t game to delete them just in case it interfered with the orderly way of handling these Nasties so I left them until I could check with you. Any suggestions?
_____________________

I haven't rescanned my system or done another log for you until I hear back from you about this post. I deleted the registry backup file.
______________________

Sorry if I’m a bit timid and not deleting anything I find with ‘twaintec’ in the title but I wasn’t confident and I’d rather check with you first then delete rather than the other way around <g>.

Late last night I bought TrojanHunter and after I get some sleep and I’m a bit fresher I’ll install it and learn how to use it.

I’ll wait for your advice on the next step in this battle…Thanks.

Terry

#8 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 28 July 2004 - 11:16 PM

If you are not comfortable working in the registry, let's just wait and see if TrojanHunter finds anything.
If you cannot delete files in normal mode, try it in Safemode.
After that, flush System Restore as described above.
Then run Housecall and Panda again.
Post a fresh HJT log and we'll take a look.
Microsoft MVP - Consumer Security

#9 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 July 2004 - 09:04 AM

If you are not comfortable working in the registry, let's just wait and see if TrojanHunter finds anything.
If you cannot delete files in normal mode, try it in Safemode.
After that, flush System Restore as described above.
Then run Housecall and Panda again.
Post a fresh HJT log and we'll take a look.

Hi, thanks again for the quick replies.

"If you are not comfortable working in the registry,". I may have confused you. I don't mind deleting a registry file when I've been specifically pointed to it but I didn't want to delete those particular registry files I found by myself until I checked with you in case I interfered with your pre-ordained methodology of doing things. I was told that sometimes if you get out of sequence doing things you can make things worse...and I didn't want to do that to someone helping me.

So, is it ok for me to delete the files in I found in the registry under HKEY_USERS e.g. twaintec | srss | mxTarget files (the nest of bad buggers I lisetd in my last post)?

And, is it ok for me to delete the 4 mxtarget files (2 winzip and 2 setup information files) I found in C:\Documents & Settings \ Terry \ Local Settings \ Temp AND in C:\Documents & Settings \ Terry \ Local Settings \ Temp \ THI4F3D I listed in my last post?


"...let's just wait and see if TrojanHunter finds anything." I bought TrojanHunter, ran it and it did not find anything relevant to what we are doing. (It was unable to unpack UPX-Packed files for a couple of programs I believe are 'safe').

I'll wait for your advice re deleting the files I mentioned above - follow that advice - flush System Restore - run Housecall and Panda again (and NAV?) - and post a fresh HJT log. I'll do a registry backup the way you showed me, before I do the other stuff <g>.

Does that sound like a good plan to you?

Edited by terrytturtle, 30 July 2004 - 01:59 AM.


#10 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 31 July 2004 - 05:20 PM

Just delete the files in those temp folders. Do not delete the temp folders.
Microsoft MVP - Consumer Security

#11 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 August 2004 - 09:22 AM

Hi Bugbatter,

Last week I deleted those 4 mxTarget files but have been away and only now have had the time to do the full scans needed. (I also removed file preInsMt that was with mxTarget files but kept a copy of it on a floppy disk just in case but my pc is working ok).

Tonight I full scanned with Ad-aware, Spybot, Bazooka, TrojanHunter and then Nortons AV plus online scans by HouseCall and ActiveScan. All came back ok. (YES!!!! :D )

However I re-visited the registry and the twaintec and mxTarget files I mentioned are still there under: HKEY_USERS \ S-1-5-21-343818398 – 630328440 – 725345543 – 1003 \ Software \ Microsoft \ Search Assistant \ ACMru \ 5603.

In the right-hand pane:
Name: 003 - Type: REG_SZ - Data: mxtarget.dll
Name: 004 - Type: REG_SZ - Data: mxtarget
Name: 008 - Type :REG_SZ - Data: twaintec

Should I delete those files?

Those srss file/s my pc shop said they thought was a trojan is also still there. When it tried to get access to the Internet last week I used Nortons to deny access permission and nothing has stopped working on my pc...so far. They are shown as:

Name: 006 - Type: REG_SZ - Date: srss
Name: 007 - Type: REG_SZ - Data: srss.exe

Have you now heard anything bad about srss.exe? I was told it may stand for system resource service ? file but don't know if that's a good file or a bad file.

Below is my HijackThis log. Would you please review it for me and let me know what you think.

Logfile of HijackThis v1.98.0
Scan saved at 11:25:33 PM, on 06/08/04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\AceLogix\StartupGuard\sg.exe
C:\Program Files\Enfish\Enfish Find\EtiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Enfish\Enfish Find\PropMSvr.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis (Std vers).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 127.98.9.1 pop.ozemail.com.au.b9
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\Program Files\Mass Downloader\MDHELPER.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Enfish Find... - {1F680408-B58A-40B0-A330-50A344786F97} - C:\Program Files\Enfish\Enfish Find\EtiFndBr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Nokia\Nokia PC Suite 5\DataLayer.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [Startup Guard] C:\Program Files\AceLogix\StartupGuard\sg.exe
O4 - HKCU\..\Run: [Slingshot Tray App] C:\Program Files\Enfish\Enfish Find\EtiTray.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm
O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Pro\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Pro\Add_AllO.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra 'Tools' menuitem: &Mass Downloader - {0FD01980-CCCB-11D3-80D4-0000E80E2EDE} - C:\Program Files\Mass Downloader\massdown.exe
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://E:\content\include\XPPatchInstaller.CAB
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberli...udio/ChkDVD.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://instantsuppor...SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://E:\Content\include\msSecUcd.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F0E12B-730B-4D8C-8664-E8B6F0EA1989}: NameServer = 210.80.58.34,210.80.58.42
O18 - Protocol: eti - {3AAE7392-E7AA-11D2-969E-00105A088846} - C:\Program Files\Enfish\Enfish Find\EtiPBrkr.dll

With your help my pc is looking at lot better. Thank you.

#12 terrytturtle

terrytturtle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 August 2004 - 07:42 AM

Hi Bugatter, are you still able to help me on this? :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button