Jump to content


Photo

A BHO has hijacked my PC


  • Please log in to reply
8 replies to this topic

#1 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 May 2004 - 02:35 PM

I desperately need help and advice on the following.

Spyware Guard is now constantly informing me with a warning that a BHO has been added and then informs me of at least 6 changes to Start, default and Local Pages to "GREATSEARCH.BIZ". It was informing me about a change to ABOUT:BLANK. I have always checked that SWG restore the old valueds but must have missed the ABOUT:BLANK warning.

Thw warnings are constant like it is in a loop.

My Symantec AntiVirus (which is up to date) has apparently been attacked because e-mail protection has an error and the Auto Protect has been turned off (not by me ever for sure).

I managed to get on-line to Symantec and ran their on-line check which IDed an infection by "Trojan.ByteVerify" but my updated anto virus software at my local machine did not find it.

I run Adware 6.0 (which is up to date) which IDs 6 problems, deletes them, but the come back immediately.

Spybot S&D does not see any problems.

My internet access has been affected (I really don't know how I managed to get on line this time). My IE has been hijacked and MSN statrs up immedialely and tries to get online (I assume one of the hijackers is doing this).

I spent about 16 hours on the phone with MSN Tech Support and the malware running made it impossible to maneuver even to my internet properties.

I ran Hijack this and can see many items that are BHO amd search items. I would remove them but as a newbie there are so many items that may be legit I thought it best to post to this forum.

My Hijack this log follows. Thank you!


Logfile of HijackThis v1.97.7
Scan saved at 2:27:50 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\1-my Downloads\PC-Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search123.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mke.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.power-search.info/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://greatsearch.biz/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [emuawlwgx] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\msstasks.exe /u
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapicc.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MsUpdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://69.31.87.70/1/deaGB48.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egai...g/ie/SecMgr.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7861.7623842593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F346C59-7E24-4291-80DF-7955E701A84C}: NameServer = 209.244.0.3 209.244.0.4

#2 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 30 May 2004 - 02:38 PM

PS. I neglected to say that I have read the SWI Forum FAQs.

#3 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 04 June 2004 - 05:42 PM

I know that this group has had some changes and it sure seems like the members are more than busy. Subesequent to my initial post I reran HijackThis and tried to clean it up as much as possible.

The following is a fresh Log. I have run the program in Safe mode and Regular startup. The R0 to R3 messages have been reduced but not elinminated. I realize that there most be a program starting during normal startup that is regenerating the problem.

I don't know if it is the same problem but my Symantec auto-protecty is getting turned off by something. I am running Adware and Spybot's S&D which report the problem but don't clean things up.

Does this thing have a name?

Here is my latest log:

Logfile of HijackThis v1.97.7
Scan saved at 12:03:44 PM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\1-my Downloads\PC-Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=137837
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://greatsearch.biz/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QD FastAndSafe] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [oiuivlzn] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\msstasks.exe /u
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MsUpdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://69.31.87.70/1/deaGB48.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7861.7623842593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 04 June 2004 - 05:55 PM

First, please download and run the latest version of CWShredder, which should remove some of your problems. Then post a fresh Hijack this log.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 June 2004 - 09:30 PM

Thanks for the response ;)

I did DL and run CWS Shredder. My system did seem to run a bit better after I rebooted although some infection remains.

Here is a new HiJackThis Log.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\vgltjeme.exe
C:\WINDOWS\msstasks.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\1-my Downloads\PC-Security\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://srch-us4.hpwis.com/
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QD FastAndSafe] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch

Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal

Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega

HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet

Optimizer\optimize.exe"
O4 - HKLM\..\Run: [rsjrnc] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\msstasks.exe /u
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money

Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton]

C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application

Data\eber.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program

Files\QUICKENW\bagent.exe
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet

Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil -

https://www-secure.s...supportutil.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} -

http://download.micr...9-bb19-f5bd11b4

0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template

and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {11111111-1111-1111-1111-111111111237} -

http://69.31.87.70/1/deaGB48.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) -

http://www.xxxtoolba...006_regular.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} -

http://new.tnc4u.com/MCInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

http://download.micr...0-9F5F-94901338

C922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -

https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) -

http://office.micros...ontent/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -

http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller

Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupd...B?37861.7623842

593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry

Information Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on

the Web Control) -

http://officeupdate....nloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

https://www-secure.s.../ActiveData.cab

#6 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 07 June 2004 - 03:25 PM

bump

#7 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 07 June 2004 - 05:28 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [rsjrnc] C:\WINDOWS\System32\vgltjeme.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\msstasks.exe /u
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe

O9 - Extra button: Sidesearch (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://69.31.87.70/1/deaGB48.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) -
http://www.xxxtoolba...006_regular.cab

Reboot, and delete

files
C:\WINDOWS\system32\usb.exe
C:\WINDOWS\System32\vgltjeme.exe
C:\WINDOWS\msstasks.exe
C:\Documents and Settings\Owner\Application Data\eber.exe

folder
C:\Program Files\ClockSync

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#8 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 June 2004 - 11:15 AM

I haven't been able to go online with my PC since I performed the fix.

The good news is that it looks like the malware is totally gone.

The bad news is that I can not access my Sound capability, Printers or modem, or write to my CD-R drive. I can't add a device, my Microsoft Office Software will not start and my USB ports have a problem. My guess is that some Start up file has been purged.

The following is my latest (6/9) HijackThis log. It is followed by a copy of the above 6-5 log with the lines that are gone in the 6-9 log marked with an "X" in the first column.


Logfile of HijackThis v1.97.7
Scan saved at 7:25:25 AM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\1-my Downloads\PC-Security\HijackThis.exe

O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QD FastAndSafe] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7861.7623842593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab


If it helps, I compared the 6-9 log to the 6-5 loag and makked the lines that were on the 6-5 loag that are gone from 6-5 with an X in col 1.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:37 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
X C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
X C:\WINDOWS\system32\LEXBCES.EXE
X C:\WINDOWS\system32\spoolsv.exe
X C:\WINDOWS\system32\LEXPPS.EXE
X C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
X C:\WINDOWS\System32\drivers\CDAC11BA.EXE
X C:\PROGRA~1\Iomega\System32\AppServices.exe
X C:\Program Files\Norton Personal Firewall\NISUM.EXE
X C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
X C:\WINDOWS\System32\nvsvc32.exe
X C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
X C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\LXSUPMON.EXE
X C:\WINDOWS\System32\svchost.exe
C C:\HP\KBD\KBD.EXE
X C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\windows\system\hpsysdrv.exe
X C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
X C:\Program Files\Common Files\Symantec Shared\ccApp.exe
X C:\Program Files\Internet Optimizer\optimize.exe
X C:\WINDOWS\System32\vgltjeme.exe
X C:\WINDOWS\msstasks.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
X C:\Documents and Settings\Owner\Application Data\eber.exe
X C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
X C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\1-my Downloads\PC-Security\HijackThis.exe

X R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
X R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
X R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
X R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
X R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
X R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
X R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
X R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
X O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QD FastAndSafe] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [fbdirect] C:\PROGRA~1\VISION~1\PAPERP~1\fbdirect.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
X O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
X O4 - HKLM\..\Run: [rsjrnc] C:\WINDOWS\System32\vgltjeme.exe
X O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
X O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\msstasks.exe /u
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
X O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
X O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
X O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
X O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://69.31.87.70/1/deaGB48.exe
X O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} - http://new.tnc4u.com/MCInst.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs5b.instants...erxsigned33.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7861.7623842593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Please let me know by e-mail to my yahoo address if there is a response. I have a lender PC at the public library.

#9 billwyld

billwyld

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 June 2004 - 09:44 AM

bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button