Jump to content


Photo

Undocumented Adware Browser Problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 adam6803

adam6803

    Member

  • New Member
  • Pip
  • 2 posts

Posted 05 June 2004 - 01:35 PM

I've tried every Spyware finder out there, and none have picked this up. When I'm using Internet Explorer, certain words become highlighted after pages load. The words are hyperlinks that are embedded to direct the user to different sites.

I've googled the terms, but haven't found any documentation on them as a known problem. Some of the words and their respective links are as follows:



<a href="http://service.bfast...age=big_island" onMouseover="window.status=''; return true"><a href="http://service.bfast...age=big_island" onMouseover="window.status=''; return true">VACATION</a></a>
http://service.bfast...page=big_island

<a href="http://www.<a href="http://www.<a href="http://www.<a href="http://www.<a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a></a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.<a href="http://www.<a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a></a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.<a href="http://www.<a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true">BOOK</a></a>
http://www.<a href="http://www.<a href="http://www.<a href="http://www.<a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a></a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.<a href="http://www.<a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a>.com</a>/exec/obidos/redirect-home/smartqpon01-20" onMouseover="window.status=''; return true"><a href="http://www.amazon.co...smartqpon01-20" onMouseover="window.status=''; return true">amazon</a></a>.com</a>/exec/obidos/redirect-home/smartqpon01-20

<a href="http://www.ncsreport...inkID=DCF10260" onMouseover="window.status=''; return true"><a href="http://www.ncsreport...inkID=DCF10260" onMouseover="window.status=''; return true">discover</a></a>
http://www.ncsreport...LinkID=DCF10260

<a href="http://www.ncsreport...inkID=USW10260" onMouseover="window.status=''; return true"><a href="http://www.ncsreport...inkID=USW10260" onMouseover="window.status=''; return true">VISA</a></a>
http://www.ncsreport...LinkID=USW10260

<a href="http://www.qksrv.net...350455-9289743" onMouseover="window.status=''; return true"><a href="http://www.qksrv.net...350455-9289743" onMouseover="window.status=''; return true">MORTGAGES</a></a>
http://www.qksrv.net...1350455-9289743

<a href="http://www.<a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60" onMouseover="window.status=''; return true"><a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">INTEL</a></a>
http://www.<a href="http://www.<a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60" onMouseover="window.status=''; return true"><a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a></a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60

<a href="http://www.<a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60" onMouseover="window.status=''; return true"><a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">ATHLON</a></a>
http://www.<a href="http://www.<a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60" onMouseover="window.status=''; return true"><a href="http://www.alienware..._banner_468x60" onMouseover="window.status=''; return true">alienware</a></a>.com/index.aspx?from=vertygo:gaming_pc_banner_468x60




I've tried everything, including system restores. But this problem just won't go away. My log is below. Has anyone else had this problem or know how to fix it?


Regards,
Adam



Please find my HJT log below:




Logfile of HijackThis v1.97.7
Scan saved at 3:27:44 PM, on 6/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Macro Magic\Macros.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adam\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0

\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINDOWS\system32\bhrw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0

\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.

dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AutoTBar] AUTOTBAR.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE

"REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: dwin32.exe
O4 - Global Startup: Iolo Macro Magic.lnk = C:\Program Files\Macro Magic\Macros.exe
O4 - Global Startup: screensaver.scr
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.

html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/

cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll

/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/

3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar

.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/

cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.

com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1082059925531
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...40/52/20031216/

qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/

CAB/x86/unicode/iuctl.CAB?38091.8841550926
O16 - DPF: {BA11E984-66D3-11D3-9196-006008105FA5} (SDClientHelper Class) - https://intranet.coneinc.com/

solweb/SDClientTools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F11964E-0374-47C5-9F88-3DF53A2557DE}: NameServer = 128.230.12.5

,128.230.1.49
O17 - HKLM\System\CS1\Services\Tcpip\..\{3F11964E-0374-47C5-9F88-3DF53A2557DE}: NameServer = 128.230.12.5

,128.230.1.49
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F11964E-0374-47C5-9F88-3DF53A2557DE}: NameServer = 128.230.12.5

,128.230.1.49

Edited by adam6803, 05 June 2004 - 02:28 PM.


#2 adam6803

adam6803

    Member

  • New Member
  • Pip
  • 2 posts

Posted 05 June 2004 - 02:02 PM

I submitted too-long Spybot post by accident. Removing...

Edited by adam6803, 05 June 2004 - 02:22 PM.


#3 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 05 June 2004 - 02:21 PM

Go to http://tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip to it's own permant folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 05 June 2004 - 04:42 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.


O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
O4 - Global Startup: dwin32.exe
O4 - Global Startup: screensaver.scr

Reboot, and delete

files
c:\CriticalUpdate.exe
c:\registry.pif
c:\windows\mshotfix.exe
dwin32.exe
screensaver.scr

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 SizzlingTool

SizzlingTool

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 04 July 2004 - 09:52 PM

I'm having the same problem used Spyboot, Adaware, HJT, the log showed the first three:
O4 - HKLM\..\Run: [MS_Critical_Update] c:\CriticalUpdate.exe
O4 - HKLM\..\Run: [RegistryMon] c:\registry.pif
O4 - HKLM\..\Run: [Microsoft Security Hot Fix] "%SystemRoot%\mshotfix.exe"
but not the rest
this is the HJT log

Logfile of HijackThis v1.97.7
Scan saved at 23:42:52, on 4/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Arquivos de programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Arquivos de programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Arquivos de programas\Logitech\iTouch\iTouch.exe
C:\Arquivos de programas\Logitech\MouseWare\system\em_exec.exe
C:\Arquivos de programas\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wilton\Meus documentos\Programas\adaware\HijackThis.exe
C:\Arquivos de programas\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F0 - system.ini: Shell=
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINDOWS\system32\bhrw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Arquivos de programas\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Arquivos de programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Arquivos de programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Arquivos de programas\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Win32] C:\Win32\dll\Win32k.exe -starthide C:\Win32\dll\Win32.exe -local
O4 - HKCU\..\Run: [RemoteCenter] C:\Arquivos de programas\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Popup Killer] C:\Arquivos de programas\Innovative Technologies\Advanced Popup Killer 2003 version 3.5\Killer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Arquivos de programas\VIA\RAID\raid_tool.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Arquivos de programas\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

What do you think do I have chance of geting rid of this anoying thing? :blush:

#6 Guilap

Guilap

    Member

  • New Member
  • Pip
  • 2 posts

Posted 17 November 2004 - 07:11 PM

I was having the same prob. Compared my log with yours and found out that the culprit was the Download Accelerator Pro. Removed it and now it looks to be fixed.

#7 Guilap

Guilap

    Member

  • New Member
  • Pip
  • 2 posts

Posted 21 November 2004 - 11:10 PM

Sorry guys, false alarm! :blush: DAP is not guilty!!

The problem is in the bhrw.dll file!! (in my case, the bhrw_ie.dll file, which causes the same problem)

O2 - BHO: (no name) - {40D20724-5D3A-43C8-9FF5-2B6F209DBD27} - C:\WINDOWS\system32\bhrw_ie.dll

This issue is NOT addressed by Ad-aware or Spybot (I tried both).

Just check the line which contais bhrw.dll or bhrw_ie.dll in Hijackthis! and click Fix checked. Then go to c:\windows\system32 dir and make sure that this file is deleted!

The issue is addressed in the following links:

http://www.d-a-l.com...ead.php?t=10594

http://www.webuser.c...sb=5&o=93&part=

http://computercops....postt31102.html

http://castlecops.com/postt28784.html


In case somebody is looking for this info on the net (google etc), I compiled some keywords which could trigger the hyperlinks Explorer:

athlon mortgages hotels discover area51 alienware amazon visa mastercard book cruises vacation advanta flight "discount airfare" "american express" "rental cars" "airline tickets" note "video card"

The question is: how dit that file get there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button