• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
vintageport

Can't get rid of a popup for spyware removal

20 posts in this topic

I keep getting a series of popup ads (4 or 5 different ads) directing me to the following URL:

http://vn/msie.tv/popup14.php?pin#13.

 

It's a site for commercial spyware/adware removal. I ran SPYBOT and came out clean; I ran X-clean and came out clean. Also ran CSW shredder. All to no avail. Does someone have an idea how to get rid of this wretched series of popups?

Share this post


Link to post
Share on other sites

Here's the Hijackthis log for the malware problem just reported:

 

Logfile of HijackThis v1.97.7

Scan saved at 2:30:05 PM, on 5/31/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Sony\VAIO Action Setup\VAServ.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\WINDOWS\System32\cidaemon.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\America Online 9.0\aolwbspd.exe

C:\Program Files\Hijackthis\HijackThis.exe

Share this post


Link to post
Share on other sites

Try this one. I must have inadvertently cut it off while copying. Sorry!

 

Logfile of HijackThis v1.97.7

Scan saved at 3:24:15 PM, on 5/31/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Sony\VAIO Action Setup\VAServ.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\WINDOWS\System32\cidaemon.exe

C:\WINDOWS\System32\HPHipm09.exe

C:\Program Files\America Online 9.0\waol.exe

C:\Program Files\America Online 9.0\shellmon.exe

C:\Program Files\America Online 9.0\aolwbspd.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {E08A647C-F4E5-4A2F-B54E-20F22A967735} - C:\WINDOWS\System32\igl.dll

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .pzm: C:\Program Files\Internet Explorer\Plugins\npPrizmPrint.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.6380324074

O17 - HKLM\System\CCS\Services\Tcpip\..\{EC00AEFE-3EC6-4F9C-B06E-FA1BB48D1295}: NameServer = 205.188.146.146

Share this post


Link to post
Share on other sites

Hi,

First thing you need to do is go to Windows Update and install all the "Critical Updates". The below fix requires the updates be installed, otherwise you will just get reinfected.

 

Next: uninstall "MyWebSearch Email Plugin" via Add Remove.

 

After the above ...

 

Download CWShredder

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Unzip but don't run it yet, it will be needed later.

 

Download: dllfix.exe

http://downloads.subratam.org/dllfix.exe

 

Save it preferably to your Desktop.

Double-click dllfix.exe it will create its own folder.

From the "dllfix" folder, double-click start.bat

Run Option 1. which is "Run Find-All... ". (type) 1 (press Enter)

Let it complete and there will be a pop-up window with a log.

Generates: output.txt Paste the contents of "output.txt" in your next post.

Share this post


Link to post
Share on other sites

Mike - Thanks for the help!

I downloaded the Windows updates. Only 16 of them which is why it took so long to get back to you via this post. Whew. (I also set the controls to perform the automatic downloads when they're issued). When I went to uninstall the "MyWebSearch EMail Plugin" I got a message stating that the specified module can't be found. Apparently, it wasn't really there. CWShredder is installed, and here's the DLLFIX report:

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Mon 05/31/2004

10:39 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (844C:A716) - FS:NTFS clusters:4k

Total: 16 039 260 160 [15G] - Free: 8 160 874 496 [7.6G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COME.DLL +++ File read error

\\?\C:\WINDOWS\System32\COME.DLL +++ File read error

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E08A647C-F4E5-4A2F-B54E-20F22A967735}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{E0D20753-EA55-44E0-A460-3D488CAA108C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{E0D20753-EA55-44E0-A460-3D488CAA108C}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

Share this post


Link to post
Share on other sites

Hi,

[step 2]

 

Run the "start.bat" again.

Select: "Option 2" and choose correct option in submenu.

 

In submenu choose

 

Option 1 -- > is if you found the dllname that is locked or in the appinit key.

 

type the name > COME.DLL

 

 

Important! Reboot, do nothing else.

 

There will be the scan for the " dll " on-boot screen, which will search and fix it.

There will just be a md5 scan.

 

 

Reboot.

 

On restart run CWShredder

 

Next: Run HijackThis and post a fresh log.

 

Also post a new "output.txt" (option 1 in start.bat )

Share this post


Link to post
Share on other sites

Hello again. I followed the instructions but still have that doggone popup. Here are the new logs. Sorry about not getting back to you sooner but I had to go off to work this morning. Thanks for the help!!

 

Logfile of HijackThis v1.97.7

Scan saved at 5:51:48 AM, on 6/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Sony\VAIO Action Setup\VAServ.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .pzm: C:\Program Files\Internet Explorer\Plugins\npPrizmPrint.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.6380324074

 

 

 

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Tue 06/01/2004

05:53 AM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (844C:A716) - FS:NTFS clusters:4k

Total: 16 039 260 160 [15G] - Free: 8 880 058 368 [8.3G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

 

 

Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COME.DLL +++ File read error

\\?\C:\WINDOWS\System32\COME.DLL +++ File read error

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF91DAB9-54E9-437F-977C-B649B6E66D35}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{C5A3E14E-1E2A-44F6-8CA0-C9BFD7282497}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{C5A3E14E-1E2A-44F6-8CA0-C9BFD7282497}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Share this post


Link to post
Share on other sites

Hi,

Run "start.bat" (type) 2 (press Enter)

Next: (type) 1 (press Enter)

Next: (type) come.dll (press Enter)

Follow the screen instructions

 

Reboot.

 

On restart run CWShredder

 

Next: Run HijackThis and post a fresh log.

 

Also post a new "output.txt" (option 1 in start.bat )

Share this post


Link to post
Share on other sites

Hi again. Followed the last set of actions but the blasted popup is still there. Had a heck of a time getting into this site. Had to re-boot several times since the computer kept freezing, then ran so slowly I almost fell asleep between keystrokes and responses. Here are the logs. Thanks for the help!!

 

Logfile of HijackThis v1.97.7

Scan saved at 5:35:18 PM, on 6/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe

C:\Program Files\Sony\VAIO Action Setup\VAServ.exe

C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe

C:\Program Files\Hijackthis\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {DF8F82AC-090A-4CE0-8B55-DB0C1E1F872C} - C:\WINDOWS\System32\igl.dll

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .pzm: C:\Program Files\Internet Explorer\Plugins\npPrizmPrint.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.6380324074

 

 

 

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--

--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

 

Tue 06/01/2004

05:47 PM

 

System Info:

 

Microsoft Windows XP [Version 5.1.2600]

C: "" (844C:A716) - FS:NTFS clusters:4k

Total: 16 039 260 160 [15G] - Free: 8 878 612 480 [8.3G]

 

 

*IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

*Notepad version :

5.1.2600.0 C:\WINDOWS\system32\notepad.exe

5.1.2600.0 C:\WINDOWS\notepad.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;

 

 

 

Locked or 'Suspect' file(s) found...

 

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

"Appinit_Dlls"=""

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF8F82AC-090A-4CE0-8B55-DB0C1E1F872C}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{E7D229DB-3795-4720-A95C-939F6529824B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{E7D229DB-3795-4720-A95C-939F6529824B}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

AppInit_Dlls REG_SZ

 

*Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

Share this post


Link to post
Share on other sites

Hi,

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

C:\Program Files\MyWebSearch <--this folder

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {DF8F82AC-090A-4CE0-8B55-DB0C1E1F872C} - C:\WINDOWS\System32\igl.dll

O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: Real-time Monitor.lnk = ?

O4 - Global Startup: VAIO Action Setup (Server).lnk = ?

 

While still in Safe Mode: run CWShredder

 

Restart normally and then ...

 

Download the latest version of Ad-Aware:

http://www.lavasoft.de/software/adaware/

 

After installing AAW, and before running the program.

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

Hi Mike. With fingers crossed, toes crossed, and eyes crossed, I think you might have killed that spyware/adware popup. Nothing happened when I logged into AOL tonite after following your instructions. That is excellent! Many thanks. But, I see some of the files Hijackthis was to have fixed have returned (e.g. 04 Mywebsearch email plugin - - which was removed earlier). Should I try the fix again? By the way, I quarantined those 16 tracking cookies Adaware found. The Adaware manual didn't say, but I presume if I delete the quarantine file holding them, I'll be deleting them as well?

 

Here is the latest Hijackthis log and the Adaware log. If there is something else I ought to do, let me know. I'll check back here tomorrow. Again, thanks!

 

Logfile of HijackThis v1.97.7

Scan saved at 11:38:52 PM, on 6/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Hijackthis\HijackThis.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .pzm: C:\Program Files\Internet Explorer\Plugins\npPrizmPrint.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.6380324074

 

 

 

Lavasoft Ad-aware Personal Build 6.181

Logfile created on :Wednesday, June 02, 2004 11:12:19 PM

Created with Ad-aware Personal, free for private use.

Using reference-file :01R298 20.04.2004

______________________________________________________

 

Reffile status:

=========================

Reference file loaded:

Reference Number : 01R298 20.04.2004

Internal build : 229

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 1067557 Bytes

Signature data size : 1049356 Bytes

Reference data size : 18137 Bytes

Signatures total : 23569

Target categories : 10

Target families : 455

6-2-2004 11:08:57 PM Error retrieving update

 

 

Memory + processor status:

==========================

Number of processors : 1

Processor architecture : Intel Pentium IV

Memory available:63 %

Total physical memory:523808 kb

Available physical memory:324924 kb

Total page file size:1280732 kb

Available on page file:1141552 kb

Total virtual memory:2097024 kb

Available virtual memory:2053708 kb

OS:

 

Ad-aware Settings

=========================

Set : Activate in-depth scan (Recommended)

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-aware Settings

=========================

Set : Unload recognized processes during scanning

Set : Include basic Ad-aware settings in logfile

Set : Include additional Ad-aware settings in logfile

Set : Let windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Always back up reference file, before updating

Set : Play sound if scan produced a result

 

 

6-2-2004 11:12:19 PM - Scan started. (Custom mode)

 

 

Deep scanning and examining files (C:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Tracking Cookie Object recognized!

Type : File

Data : tr@2o7[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 8:43:03 PM

Last accessed : 6/3/2004 4:12:34 AM

Last modified : 6/2/2004 2:26:38 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@advertising[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 7:00:01 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 7:00:01 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@atdmt[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 6/1/2004 9:38:07 PM

Last accessed : 6/3/2004 3:54:15 AM

Last modified : 6/1/2004 9:38:07 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@citi.bridgetrack[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 9:49:35 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 9:49:35 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@data.coremetrics[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 6:09:54 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 6:09:54 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@doubleclick[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 4:25:06 PM

Last accessed : 6/3/2004 3:52:16 AM

Last modified : 5/31/2004 4:25:07 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@ehg.hitbox[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 4:25:16 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 4:25:16 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@hitbox[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 4:25:15 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 4:25:16 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@mediaplex[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 6/1/2004 10:07:29 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 6/1/2004 10:07:29 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@qksrv[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 6/3/2004 3:52:15 AM

Last accessed : 6/3/2004 3:52:15 AM

Last modified : 6/3/2004 3:52:15 AM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@questionmarket[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 9:25:59 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 9:25:59 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@servedby.advertising[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 9:26:10 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 9:26:10 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@server.iad.liveperson[1].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 5:42:21 PM

Last accessed : 6/3/2004 4:12:35 AM

Last modified : 5/31/2004 5:43:06 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@tmpad[1].txt

Category : Data Miner

Comment : www.searchtraffic.com

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 9:45:37 PM

Last accessed : 6/3/2004 4:12:36 AM

Last modified : 5/31/2004 9:45:37 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@trafficmp[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 5/31/2004 9:45:37 PM

Last accessed : 6/3/2004 4:12:36 AM

Last modified : 5/31/2004 9:45:37 PM

 

 

 

Tracking Cookie Object recognized!

Type : File

Data : tr@tribalfusion[2].txt

Category : Data Miner

Comment :

Object : C:\Documents and Settings\TR\Cookies\

 

Created on : 6/3/2004 4:05:12 AM

Last accessed : 6/3/2004 4:05:12 AM

Last modified : 6/3/2004 4:05:12 AM

 

 

 

Disk scan result for C:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 16

 

 

Deep scanning and examining files (D:)

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

 

Disk scan result for D:\

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

New objects : 0

Objects found so far: 16

 

11:30:59 PM Scan complete

 

Summary of this scan

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Total scanning time :00:18:40:391

Objects scanned :185964

Objects identified :16

Objects ignored :0

New objects :16

Share this post


Link to post
Share on other sites

Hi,

It's strange that CWShredder and AWW didn't remove:

res://C:\WINDOWS\System32\igl.dll/sp.html

 

Let's make sure ...

 

Enable Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: " Hide protected operating system files"

Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button.

 

Open Windows Explorer

Does C:\WINDOWS\System32\igl.dll exist?

 

Next, (Ctrl-Alt-Del) brings up the Task Manager

Click the "Processes" tab

Highlight: "MWSOEMON.EXE", click "End Task", close Task Manager.

 

Open Windows Explorer to:

C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

Delete that file then delete "C:\Program Files\MyWebSearch" folder.

 

Close all open windows, except for HijackThis place a check in each

of the following, then click "Fix checked".

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\igl.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

 

Then reboot ...

 

[Question]

Did you install this keylogger? [more info]

O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB

 

I quarantined those 16 tracking cookies Adaware found.

You should hardly ever see those 3rd party Cookies ...

Blocking Unwanted Cookies with IE 6

http://www.mvps.org/winhelp2002/cookies.htm

 

I presume if I delete the quarantine file holding them, I'll be deleting them as well

Exactly ... if you keep seeing those "Data Miners" then something is missing in your "Layered Protection"

 

After the above ... run IE for a while then post a fresh log.

Share this post


Link to post
Share on other sites

Mike - - I think you can carve another notch on your computer table for another kill. The popups haven't resurfaced, and I could not file any reference to igl.dll, mwsoemon.exe or MyWebSearch in the directories. Here's the latest log for you to look at. Let me know if you see anything.

 

By the way, no, I didn't install the keylogger. So I invited Hijackthis to have another meal and chew it up. Your service has been excellent. You're to be commended. This is a wonderful site.

 

Logfile of HijackThis v1.97.7

Scan saved at 5:34:12 PM, on 6/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe

C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\System32\hphmon03.exe

C:\progra~1\scansoft\paperp~1\pptd40nt.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Microsoft Money\System\reminder.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\America Online 9.0\aoltray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"

O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [sideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\Common\SWTrayV4.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .jpg: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .lst: C:\Program Files\Internet Explorer\Plugins\NP_PRIZM32P.dll

O12 - Plugin for .pzm: C:\Program Files\Internet Explorer\Plugins\npPrizmPrint.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.8.3.20/peak...s-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7874.6380324074

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ... good job!

By the way, no, I didn't install the keylogger

That's a scary thought! ... better keep a closer eye on things.

O4 - HKLM\..\Run: [AOL Spyware Protection]

That's funny! :rofl: (didn't do much good - did it?)

 

Ok, the last step is to "Flush System Restore" (see below), reboot and run a full system Trend Micro AV scan, reboot and enable System Restore and create a new Restore Point.

Share this post


Link to post
Share on other sites

Hey you shouldn't have listened to that guy if you don't know what your doing. dllfix is a Trojan Creation Tool: A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a Trojan to an existing product (such as RegEdit.exe), making it a Dropper. And is named

"Win-NT Hack DLL" according to pestpatrol.com :deal: ( http://www.pestpatrol.com/PestInfo/w/win-nt_hack_dll.asp ) & ( http://research.pestpatrol.com/Search/File...e3495d305d49ec6 ). I've heard of a dllfix.exe from http://tools.zerosrealm.com/dllfix.exe before but i don't think http://downloads.subratam.org/dllfix.exe Is the same one. Go run a search on google and decide for your self. (reading someones' logs could be a good way to set up an attack on someone looking to download a new program for help, just thought you should know :)

Edited by ShawnB391

Share this post


Link to post
Share on other sites

ShawnB391,

Hey you shouldn't have listened to that guy if you don't know what your doing

Since I was the one that recommended that method, why shouldn't the poster have followed my instructions?

dllfix is a Trojan Creation Tool

Oh please! ... do your homework before you make such ridiculous statements!

 

Did you even bother to look? http://www.subratam.org/

It's just another Forum just like this one, and an alternate location to place files created by other "Trusted" individuals.

Share this post


Link to post
Share on other sites

Actually, I did read up on dll.fix before installing it (Long Live Google!). So, when I received this guy's IM, I politely ignored it. Frankly, I think he was shilling for a pest prevention site rather than trying to be logical.

Share this post


Link to post
Share on other sites

vintageport,

So, when I received this guy's IM, I politely ignored it

Sounds like a good idea ...

I think he was shilling for a pest prevention site

I guess? PestPatrol would not have helped in your case anyway. :wave:

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0