Jump to content


Photo

Recurring MyWebSearch Hijack


  • Please log in to reply
12 replies to this topic

#1 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 12:54 AM

I've been hit by a pretty strong Hijack. Since yesterday, I've been battling with various programs (see the list below), and have been running AdAware or Spybot S&D every 3 hours (with updates before hand), and I'm still getting some pretty bad attacks.

So far, I've gone so far as to restrict I.E., and download and install Mozilla as my default browser. It's done nothing to stop the current downloads.

I'm reaching the end of my limits in ideas. I've personally killed or let Ad-Aware and SpyBot kill many of these things, but they keep coming back. Please help when you can.

The following programs have been noticed, and in some cases, killed.
CoolWebSearch - Toolband Affiliate - Killed by CWShredder
MyWebSearch - Recurring (Killed 7 times so far)
Iconz.exe - Deleted
Stop Sign Virus Scan (bundlewr_bndl.exe) - Stopped
AdWatch - PopUp
"loading..." - IE Screen that comes up every hour.
AdDesteroyer - Killed 2 times
Virtual Bouncer - Uninstalled/Killed 2 times
eAccelleration - Killed
VX2.BetterInternet - Killed 3 times
fxssvc.exe - ??? (noticed briefly during startup)


HijackThis Log - Run after last Ad-Aware/Spybot Scans & Reboot
Logfile of HijackThis v1.97.7
Scan saved at 12:36:36 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\NuonSoft\WallpaperCycler\wallpapercycler.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Documents and Settings\All Users\Documents\Tools\HijackThis.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomshardware.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.webcrawle...wbcrwl.toolbar/
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Webcrawler Toolbar - {9677F3F1-E994-451F-805F-7148CC8AE040} - C:\Program Files\WebcrawlerToolbar\ultrabar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Webcrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\WebcrawlerToolbar\contextsearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.dslreports.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{256CA830-94CA-484A-9633-DB6C6AA6F1EC}: NameServer = 205.188.146.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{C67B2768-1CB6-4B34-AAB8-8438B01ACD88}: NameServer = 68.62.160.6,68.62.160.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{256CA830-94CA-484A-9633-DB6C6AA6F1EC}: NameServer = 205.188.146.146

Edited by Silphion, 07 June 2004 - 01:20 AM.


#2 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 02:23 AM

New information found (and slight bump)
Looking at my Outgoing Traffic log, I've noticed that the "loading..." screen was the following address:

donotclick://69.20.62.53/yyy2.html

Also, the following item constantly appears around the same time, and other times:

www.look2me.com

Both of these sites were immediatly added to the restricted zones list, and seemed to have stopped the random downloading. However, the window keeps appearing--now it just won't go away.

Edited by Silphion, 07 June 2004 - 02:27 AM.


#3 gr8techie

gr8techie

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 June 2004 - 04:03 AM

hi silphion,
before you run adaware6 and spybot-sd and HJT and CWS, turn off system restore by right-clicking MyComputer and going to System Restore tab. check turn off system restore and apply and Ok to close. boot into safe mode. run your anti-virus program for a complete scan. after that run adaware (make sure that you have the latest updates installed for all the programs) click on start go to customize and check depp scan within archives. also check (= green ) scan my hosts file. after that do a scan and let adaware do the rest. after that restart your system again into safe mode and now run spybot-sd. restart again (into safe mode) and then run CWSShredder and click on Fix It. after that boot again into safe mode and then run HijackThis and get a log file and post it here for further instructions. this is to ensure that no malicious objects are left on your computer. OK :)

#4 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 07 June 2004 - 12:06 PM

Instructions carried out, but to sadly no effect. I'm still infected with whatever it is.

Update
Virus Scan: Nothing Detected
Ad-Aware: Detected VX2.BetterInternet - Killed
Spybot: Detected 5 DSO Exploits it was unable to fix.
CWShredder: Nothing Detected

New Invasive Popup - SpyBloc (comes on during startup and random times)

Looking at below, I'm beginning to think that this thing doesn't leave a trace in HijackThis...

HijackThis Log
Logfile of HijackThis v1.97.7
Scan saved at 9:11:08 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\All Users\Documents\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomshardware.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.webcrawle...wbcrwl.toolbar/
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Webcrawler Toolbar - {9677F3F1-E994-451F-805F-7148CC8AE040} - C:\Program Files\WebcrawlerToolbar\ultrabar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Webcrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\WebcrawlerToolbar\contextsearch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.dslreports.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C67B2768-1CB6-4B34-AAB8-8438B01ACD88}: NameServer = 68.62.160.6,68.62.160.5

Edited by Silphion, 07 June 2004 - 12:06 PM.


#5 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 June 2004 - 01:19 PM

More information & Bump:

I'm thoroughly convince the culprit is running through the rundll32.exe task. Every time I end that process, the popups leave me alone for a good while. But when the popups DO come back, so does the rundll32.exe task. Lately, it seems to come back whenever the computers boot up (normal mode OR safe mode), and when it resumes from standby/screen saver

And this is truelly frightening folks.

While booted in safe mode, the hijack did its things and tried to make the popups yet again... Yes, safe mode. Again, rundll32.exe was a running process, and it came back whenever the popups did.

Edited by Silphion, 08 June 2004 - 01:47 PM.


#6 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 09 June 2004 - 08:28 PM

Bump

#7 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 09 June 2004 - 11:31 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.webcrawle...wbcrwl.toolbar/
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: Webcrawler Toolbar - {9677F3F1-E994-451F-805F-7148CC8AE040} - C:\Program Files\WebcrawlerToolbar\ultrabar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O8 - Extra context menu item: Webcrawler Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\WebcrawlerToolbar\contextsearch.htm
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe

Make sure adaware and Cwshredder is updated.. then reboot in safe mode and run both.

Reboot once more in regular mode....

Go to start >Run and paste this in:
%Userprofile%\Local Settings\Temp folder

It will open your temp folder.

Go to the toolbar>Edit>Select All
Then go back to File>Delete

Then get an online virus scan here: http://housecall.trendmicro.com/ Please select the Autoclean option when prompted.
or here: http://www.pandasoft...com/activescan/


Download VX2Finder from this link:
http://www.downloads...g/VX2Finder.exe


Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.
--------------------------------

Edited by irelynnmisses, 10 June 2004 - 12:27 AM.

FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#8 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 10 June 2004 - 10:14 AM

Delete files found on Hijack this: Done
Update AdAware, Spybot, and CWS: Done
Reboot to Safemode and run above programs: Done
Reboot to normal mode & Delete temp files: Done, with popup
The following popup appeared during deletion (but was foiled by my blocking of www.look2me.com)
http://www.look2me.c...5A7B}&AD=CyDoor

Run Virus Scan: McAffee - No Results / TrendMicro Housecall - No Results
Download & Run VX2Finder: Done - VX2 Found!

VX2 Log:
Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\amaamon.dll
C:\WINDOWS\System32\aqphelp.dll
C:\WINDOWS\System32\arctres.dll
C:\WINDOWS\System32\azctres.dll


Guardian Key--- is called: GuardianAYPCM
Asynchronous 000
DllName C:\WINDOWS\system32\6zo4svc.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {AB35FE1F-F630-444D-AF8B-B1BC75815A7B}
IDex DS3

User Agent String---
{AB35FE1F-F630-444D-AF8B-B1BC75815A7B}


Notes:
www.Look2me.com (and the annoying yyy2.htm and yyy3.htm) Popups will appear anytime Internet Explorer is running (such as McAffee virus scan). Sorry, but I cannot dump McAffee at this time.

Stopping the Rundll32.exe, as noted above, helps slow the onslaught, but does nothing to prevent it. If VX2 is the culprit, then I'll be glad to be rid of it.

Also, popups appeared during the entire time I was doing virus scan, so deleting those files from HijackThis did not stop it--probably only crippled it a little.

#9 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 June 2004 - 02:54 AM

Bump

#10 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 June 2004 - 07:47 AM

BUMP

#11 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 June 2004 - 02:16 PM

I went through VX2Finder's documentation, and effectively erased VX2 and all it's guardians and traces from my computer. So far, there have been no pop ups since that time. If I don't make another comment within the next three days, consider the issue resolved. :)

In the meantime, any helper who wants to add some advice (in case it's not resolved), feel free.

#12 irelynnmisses

irelynnmisses

    Forum Goddess

  • Retired Staff - Helper
  • PipPipPipPip
  • 282 posts

Posted 13 June 2004 - 02:03 AM

Sorry I didn't get back sooner,,, posts get buried at times.. good for you! can you post a log to be checked,, there is still mre to go :)
FireFox is recommended over IE: http://www.mozilla.o...oducts/firefox/

Misses Loves Kisses

Also, Please don't PM me your hijack logs. I would you rather post them and PM me if you wish for me to look at them. A PM with a hijacklog will get ignored!

#13 Silphion

Silphion

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 14 June 2004 - 06:44 AM

Sure thing:

Logfile of HijackThis v1.97.7
Scan saved at 6:43:12 AM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\NuonSoft\WallpaperCycler\wallpapercycler.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Documents\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tomshardware.com/
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NuonSoft Wallpaper Cycler StartupHelper] C:\Program Files\NuonSoft\WallpaperCycler\StartupHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: http://www.dslreports.com
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C67B2768-1CB6-4B34-AAB8-8438B01ACD88}: NameServer = 68.62.160.6,68.62.160.5



VX2Finder says... Clean!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button