Jump to content


Photo

Hmmm ..


  • This topic is locked This topic is locked
10 replies to this topic

#1 Baron

Baron

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 02:11 PM

Im on a dial-up connection, and today when i browsed RapMusic.com - it automatically dis-connected me, then wouldnt let me re-connect and said the modem was already in use.

ms-its: mhtml:file://c:\66.117.37.5:80\dexGB278.exe.mht!http://66.117.37.5:8...x/2.chm::/1.htm

^ It had that wrote in its title thing, i noted it down as it struck me as odd. Hasnt happened on any other site, only that one. Any ideas?

#2 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 26 May 2004 - 02:38 PM

Sounds like you've got a dialer of some kind. Let's have a look at a HijackThis Log.

If you don't already have HijackThis, Download HijackThis from http://spywareinfo.c...hijackthis.exe . Create a new folder called C:\HJT and place HijackThis in it. Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log (notepad will open up with the log in it) and copy and post that log onto this topic. DO NOT Delete or modify anything yet, as some of it is needed to keep your system in Good Shape.

An expert will come along to see what needs to be done.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#3 Baron

Baron

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 26 May 2004 - 02:50 PM

Logfile of HijackThis v1.97.7
Scan saved at 20:52:48, on 26/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.skyinet.n...WIN-BUGSFIX.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {06D95EBE-1914-44CF-BDE3-C894A22B8286} - C:\WINDOWS\SYSTEM\KCILJAA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\PROGRAM FILES\COSMO POPUP BLOCKER\TRREADERBAR_.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [LINUX32] C:\WINDOWS\SYSTEM\LINUX32.vbs
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [Cosmo Popup Blocker] C:\Program Files\Cosmo Popup Blocker\CosmoPopupBlocker.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [zcri32vlsz] C:\SYMANTEC\PEWXEFRZSC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [myJabber v3.5] C:\PROGRAM FILES\MYJABBER\MYJABBER.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES\ARES.EXE" -h
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [aimboot] %SystemRoot%\awinrar.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: AskCosmo! (HKLM)
O9 - Extra 'Tools' menuitem: AskCosmo! (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.21...r_loader/uk.cab
O16 - DPF: {BD092CD7-AA66-4FF6-8CE1-D4E01489ED2B} (VacPro.UserControl1) - http://www.7adpower....ialer/EMSAT.CAB
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#4 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 27 May 2004 - 09:25 AM

I'm looking over your log right now to see what needs to be done. I'll be back in a bit.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#5 Baron

Baron

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 May 2004 - 11:40 AM

Cheers man.

#6 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 27 May 2004 - 10:43 PM

First thing to do is download & install the following programs: CWShredder, Ad-Aware, and Spybot S&D.

Run CWShredder first (make sure all browser and explorer windows are closed). Let it fix everything it finds. A box may pop up telling you that it can't determine if a file is bad or not. Click on No and report back with the file name. Reboot the system when finished.

Next, run Ad-Aware. Before scanning do the following:

Update the program first (click on check for updates).

Click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard
drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

Now press "Next" to let Ad-aware scan your drives. It will find a number of "bad" files and registry keys. Click 'Next' again. Right-click in that pane and choose "select all". If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Then close Ad-Aware, and reboot.

Next, run Spybot S&D. Let it fix all items marked in red.

Finally, reboot and post a new log.

When you get the chance, download the latest version of IE (you have an outdated version) and download all critical updates (if you haven't done so).

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#7 Baron

Baron

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 May 2004 - 06:31 PM

Did everything except download latest IE - i'll do that shortly. Here's the new log:



Logfile of HijackThis v1.97.7
Scan saved at 00:33:05, on 29/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COSMO POPUP BLOCKER\COSMOPOPUPBLOCKER.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TOPPOP.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\KCILJAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.skyinet.n...WIN-BUGSFIX.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O1 - Hosts: 209.87.155.230 date.com
O1 - Hosts: 209.87.155.230 dating.com
O1 - Hosts: 209.87.155.230 freedating.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {06D95EBE-1914-44CF-BDE3-C894A22B8286} - C:\WINDOWS\SYSTEM\KCILJAA.DLL (disabled by BHODemon)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AskCosmo! - {38D2A281-0444-433C-9ED6-A2851795F32A} - C:\PROGRAM FILES\COSMO POPUP BLOCKER\TRREADERBAR_.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [LINUX32] C:\WINDOWS\SYSTEM\LINUX32.vbs
O4 - HKLM\..\Run: [Password Check] c:\windows\GrabCookie.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PIOLET] C:\PROGRAM FILES\PIOLET\PIOLET.exe SILENT
O4 - HKLM\..\Run: [Cosmo Popup Blocker] C:\Program Files\Cosmo Popup Blocker\CosmoPopupBlocker.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [s2m07mplia] C:\SYMANTEC\PEWXEFRZSC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES\ARES.EXE" -h
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O9 - Extra button: AskCosmo! (HKLM)
O9 - Extra 'Tools' menuitem: AskCosmo! (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab

#8 Baron

Baron

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 May 2004 - 07:04 PM

I also ran that HouseCall thing someone else suggested previously - it found files called:

TROJ SMALL.FO in the C:\\WINDOWS\TEMP\xwxload.exe
TROJ STARTPAGE.L in the C:\\WINDOWS\sh2.exe


Not sure if that helps any?

#9 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 28 May 2004 - 11:54 PM

You've got a variant of about:blank that needs special tools to deal with. I'm checking to see what should be done next.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#10 VashonDude

VashonDude

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,255 posts

Posted 29 May 2004 - 10:34 PM

This article will help you with the about:blank problem. Only go as far as step 5 and post the contents of "output.txt" here. Do not proceed to step 6 yet. I will tell you when to proceed.

-- LB
Want to help in the fight against malware? Join the SWI boot camp.

#11 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 12 October 2004 - 05:15 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button