MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Trojan 514 and Trojan 560
September 20, 2019, 11:31:16 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 20, 2019, 11:31:16 PM

Login with username, password and session length
 
News
New  Check out our improved Download section for tons of software....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Trojan 514 and Trojan 560  (Read 3525 times)
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« on: December 31, 2004, 10:56:00 PM »

Hi
I have a couple of Trojan virusses.
Trojano-514 and Trojan-560
Avast is deleting it but it comes back again and again.
I have used Ad-Aware and Spybot as well but it doesn't help.
Maybe you can help me?
By the way, I don't use IE. Can't use it no more. Have to use Mozilla.

Thank you,
Ruben

Here is the logfile:

Logfile of HijackThis v1.97.7
Scan saved at 23:42:14, on 31-12-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\MISITRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\misiCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\KDX\KHOST.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\TWINK64.EXE
C:\PROGRAM FILES\SURFSIDEKICK 2\SSK.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
C:\PROGRAM FILES\SURFSIDEKICK 2\SSK.EXE
C:\WINDOWS\APPLICATION DATA\EORP.EXE
C:\WINDOWS\SYSTEM\TVQW.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WISADSADNDOS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easypic.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 80.25.111.46
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.167.4.105:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\Run: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - HKCU\..\Run: [Eaf] C:\WINDOWS\SYSTEM\tvqw.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4253/mcfscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37854.168125
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.234.32/hosts/grh618/GlassRoomVoice.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/1/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #1 on: December 31, 2004, 11:16:38 PM »

Hi

Please Scan your pc with this free online scanner Housecall


After scanning with Housecall Please run LSPFix
1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select aklsp.dll
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.
6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the following file: c:\windows\system\aklsp.dll
8. Restart your computer and bring it up in normal mode.

I also noticed you are using an outdated version of HJT. Please Download and install the newset version of:  HiJackThis 1.99 and post a fresh log.
« Last Edit: December 31, 2004, 11:18:47 PM by Geekgirl » Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #2 on: January 01, 2005, 01:10:39 AM »

Thanks for the reply,
With the Housecall it went wrong. Couldn't get it downloaded in IE and with Mozilla it was no problem but then IE didn't show any icon in the browser.
But with LSPFix it was no problemo and the aklsp.dll is removed in the safe mode.
Unfortunately the trojans are still alive and kicking: IE is getting triggered/started by itself about each 10-15 minutes and I get these warnings from Avast.

Here is the new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 2:11:12, on 1-1-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\MISITRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\misiCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\TWINK64.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
C:\WINDOWS\APPLICATION DATA\EORP.EXE
C:\WINDOWS\SYSTEM\TVQW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WISADSADNDOS.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\NEWHIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.easypic.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=114
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 80.25.111.46
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.167.4.105:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\Run: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - HKCU\..\Run: [Eaf] C:\WINDOWS\SYSTEM\tvqw.exe
O4 - HKCU\..\RunServices: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\RunServices: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - HKCU\..\RunServices: [Eaf] C:\WINDOWS\SYSTEM\tvqw.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4253/mcfscan.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.234.32/hosts/grh618/GlassRoomVoice.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/1/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: January 01, 2005, 01:59:13 AM »

Yes you do but Geekgirl accomplished what she was doing which was cleaning up the WinSock HiJack..which she did.. Wink

She's still NOT finished with you either because you also have the NEW HOST INFECTION.. Lips Sealed

But in the mean time.. to try and get your PC under control ..and make it a little cleaner for Geekgirl,let's get rid of the Pop-ups and other Nasties you have.. Grin

Ok to start let's ...

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

LOADQM.EXE
TWINK64.EXE
CASHBACK.EXE
EORP.EXE
TVQW.EXE
WISADSADNDOS.EXE
msupdsrv.exe
Ssk.exe




Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=114
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 80.25.111.46
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.167.4.105:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
R3 - URLSearchHook: (no name) - {CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\SYSTEM\MTC.DLL
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\IESEARCHTOOLBAR.DLL
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [MSUpdSrv] msupdsrv.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKCU\..\Run: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\Run: [Eaf] C:\WINDOWS\SYSTEM\tvqw.exe
O4 - HKCU\..\RunServices: [SurfSideKick 2] C:\PROGRAM FILES\SURFSIDEKICK 2\Ssk.exe
O4 - HKCU\..\RunServices: [Eaf] C:\WINDOWS\SYSTEM\tvqw.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)

O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/1/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548


The next are optional, but recommended for removal,Resource hogs and not needed on startup, but does not disable the program:


O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


CASHBACK
IEMENUEXTENSION
SURFSIDEKICK
MediaTickets


Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\SYSTEM\TWINK64.EXE
C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
C:\WINDOWS\SYSTEM\TVQW.EXE
C:\WINDOWS\SYSTEM\WISADSADNDOS.EXE
C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
C:\WINDOWS\SYSTEM\MTC.DLL
C:\WINDOWS\SYSTEM\FM20EGUT.DLL
C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
C:\msupdsrv.exe
C:\WINDOWS\msupdsrv.exe
C:\WINDOWS\SYSTEM32\msupdsrv.exe


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files


Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #4 on: January 01, 2005, 02:29:57 PM »

Thanks for the reply,

I did the instructions you gave me although i have a few comments.

When you sugested to remove several items in HijackThis i couldnt find a few of them:
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
Grin But i guess its a good thing that they weren't listed?


The rest of the list is removed.
But what about this one:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

I dont have to remove that one either?

----------------------


Not found: C:\PROGRAM FILES\CASHBACK\BIN\CASHBACK.EXE
Not found: C:\WINDOWS\SYSTEM\TVQW.EXE
Not found: C:\WINDOWS\SYSTEM\WISADSADNDOS.EXE
Not found: C:\PROGRAM FILES\IEMENUEXTENSION\TBEXTN.DLL
Not found: C:\WINDOWS\SYSTEM\MTC.DLL
Can't delete it. In use by Windows: C:\WINDOWS\SYSTEM\FM20EGUT.DLL
Not found: C:\PROGRAM FILES\SURFSIDEKICK 2\SSKBHO.DLL
Not found: C:\msupdsrv.exe
Not found: C:\WINDOWS\msupdsrv.exe
Not found: C:\WINDOWS\SYSTEM32\msupdsrv.exe

-----------------


The Temporary Internet files folder is empty now. Maybe a silly question but do I also have to empty the "Temp" folder?
(Btw. I just found 1 temporary internet folder in W98)

-------------------



At this moment i dont get these warning messages from Avast anymore about Trojan viruses! Cool Thats a big relief cos it freaked me out.
But IE still gets triggered and opens a browser window by itself.

------------------


thanks for the helpCactus and Geekgirl.

Here is the new logfile


Logfile of HijackThis v1.99.0
Scan saved at 15:24:52, on 1-1-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\MISITRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\misiCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\APPLICATION DATA\EORP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NEWHIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.nl
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU\..\Run: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4253/mcfscan.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.234.32/hosts/grh618/GlassRoomVoice.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab

« Last Edit: January 01, 2005, 02:36:48 PM by tounfite » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: January 01, 2005, 03:12:44 PM »

Ok great...your logfile looks way better... Grin

I'm done with you for now..Geekgirl will come in and deal with the HOST INFECTION..when she 's done she'll instruct you to run HJT again.
I'll check your logfile out when you do.. Cool


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #6 on: January 01, 2005, 06:14:27 PM »


Okey,
thanks!
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #7 on: January 01, 2005, 11:02:07 PM »

Hi tounfite
Follow these instrcutions carefully. DO NOT REBOOT until all dll files are entered into Kill box.

Have these 2 utilities ready to use on the desktop.

Dllcompare(version 1.0.0.127) which will scan for locked files created by VX2
and
Killbox (version 2.0.0.76), which will be responsible for removing the files found

Using DllCompare:

Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]place it on your Desktop.

To identify suspected VX2 files, look at the dates in the log, all will have been created in the month of late Nov and to current. There are other legitimate files that may also be there, so just dont delete everything in the list either
****
sample log:

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

D:\WINDOWS\SYSTEM32\dad8.dll       Mon Dec 13 2004   3:24:48a  ..S.R        223,232   218.00 K
D:\WINDOWS\SYSTEM32\enp2l1~1.dll   Mon Dec 13 2004   3:09:08a  ..S.R        223,232   218.00 K
D:\WINDOWS\SYSTEM32\hr0u05~1.dll   Sun Dec 12 2004  10:36:04p  ..S.R        224,137   218.88 K
D:\WINDOWS\SYSTEM32\hrp805~1.dll   Mon Dec 13 2004   3:24:48a  ..S.R        224,107   218.85 K
D:\WINDOWS\SYSTEM32\irrml5~1.dll   Sun Dec 12 2004  10:14:28p  ..S.R        224,427   219.16 K
D:\WINDOWS\SYSTEM32\lmexpand.dll   Sun Dec 12 2004  10:36:04p  ..S.R        223,232   218.00 K
D:\WINDOWS\SYSTEM32\oabcp32r.dll   Mon Dec 13 2004   3:10:04a  ..S.R        224,362   219.10 K
________________________________________________

1,108 items found:  1,108 files (7 H/S), 0 directories.
Total of file sizes:  190,775,194 bytes    181.93 M

Administrator Account =  True

--------------------End log---------------------



Now, most IMPORTANT that you DO NOT reboot until all files can be entered into Killbox

Step 2

Using Killbox:

Copy Killbox to your Desktop (Do not run from the download site)

Settings for Killbox
From the menu bar click the "About" and ensure you have version 2.0.0.76 or better.
Select Option Replace on Reboot
From the Dllcompare log copy & paste each full path into the Killbox topmost box.

ie: a fullpath from our sample log would be
D:\WINDOWS\SYSTEM32\dad8.dll
D:\WINDOWS\SYSTEM32\enp2l1~1.dll
etc.


With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Do this for every file you have matching the VX2 criteria, in the dllcompare log.
*in the sample file here, every file matches VX2 parameters and would be input into Killbox.

ie: Top line in Killbox would have the path
D:\WINDOWS\SYSTEM32\dad8.dll
the bottom line would show a dummy file in user Temp directory
D:\Documents and Settings\User\Local Settings\Temp\kbdummy.1



Do this same step for every file in the dllcompare log, (Or each file one of the forum experts/helpers etc. tell you to)

When you get to the last file in the Dllcompare log, also add in one additional file

C:\Windows\System32\Guard.tmp

*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)


On that last file, close all programs and Reboot your computer.

Step 3

After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat the step 2 again one more time.

Guard.tmp, may still exist as it creates on Shutdown, but is unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.
ie:

C:\WINDOWS\SYSTEM32\guard.tmp


This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.


Please let me know when you are ready for more instructions
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #8 on: January 02, 2005, 05:08:59 PM »

Thanks for the reply,

I have tried to do the instructions but unfortunately I didn't understand all of it (english isn't my first or second language)

Everyting went well untill I came to the point of:

"When you get to the last file in the Dllcompare log, also add in one additional file

C:\Windows\System32\Guard.tmp"

Etc.

I don't know what it is or what to do.
because I didn't know it I just rebooted the computer after the last file in the DLLcompare log was deleted in Killbox.
After the comp was rebooted I did the Dllcompare and the Killbox again  but I this line is coming back everytime in the Dllcompare log:
C:\WINDOWS\SYSTEM\cwet16.dll
(I have run the Dllcompare and the Killbox 3 times now)


Ahum, sorry for the confusion but at this point I'm lost.....
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #9 on: January 02, 2005, 05:16:14 PM »

Ok, run DllCompare, enter any dll's it finds in Killbox as you did previously. After you enter all dll's in Killbox from Dll compare enter C:\Windows\System32\Guard.tmp as if dll compare had found it.

Reboot and run Dll compare again. Let me know
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #10 on: January 02, 2005, 06:35:56 PM »

Ah! That wasn't too complicated at all Grin

I did step 3 as well but this line is keeping coming back in DLLCompare: C:\WINDOWS\SYSTEM\cwet16.dll

quote:
C:\WINDOWS\SYSTEM32\guard.tmp
This will only require a "Standard File Kill" default setting of Killbox. If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.


the name doesn't appear in blue. Just black.
Killbox says it doesn't exist.

Also DLLCompare doesn't scan anything in System32. It scans the System folder. (I don't know if that matters?)


Anyway I'm ready for instructions Cool
« Last Edit: January 02, 2005, 06:38:52 PM by tounfite » Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #11 on: January 02, 2005, 07:04:10 PM »

Well it is preset to scan the System32 directory.

Step 4

Cleanup

Providing the Dllcompare log is free of offending VX2 .dll files you now need to repair some of the damages done to your system.

Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:

C:\RECYCLER\Desktop.ini


Click Red X to delete it.
or
Simply Browse to the Directory under C:(root) called RECYCLER
In killbox you will see in blue also the term Directory
Click the Red X to delete it.
*Either of these methods will fix the bug where no files are shown in recycle bin, and no option to store files into recycle bin.


Reboot and post a fesh logfile
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #12 on: January 02, 2005, 08:24:04 PM »

quote:
Providing the Dllcompare log is free of offending VX2 .dll files


Just this one: C:\WINDOWS\SYSTEM\cwet16.dll    
And a new one: C:\WINDOWS\SYSTEM\wt2_32.dll

Okido here is the new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 21:26:20, on 2-1-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\MISITRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\misiCTRL.EXE
C:\WINDOWS\APPLICATION DATA\EORP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NEWHIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.nl
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU\..\Run: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4253/mcfscan.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.234.32/hosts/grh618/GlassRoomVoice.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
Logged

 
Geekgirl
Global Moderator
Hero Member
*****

Karma: +25/-1
Offline Offline

Gender: Female
Posts: 3175



Bookmark and Share

View Profile
« Reply #13 on: January 02, 2005, 08:58:34 PM »

It has seemed to regenerate itself again.
Are you sure when your using Dllcompare and Killbox that no other windows or browsers are open?
Unfortunately you are going to have to start from the beginning rememeber DO NOT REBOOT until ALL dll files are placed into killbox.

Have these 2 utilities ready to use on the desktop.

Dllcompare(version 1.0.0.127) which will scan for locked files created by VX2
and
Killbox (version 2.0.0.76), which will be responsible for removing the files found

Using DllCompare:

Copy the dllcompare.exe to your desktop, don't just run it from the download site.
it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]place it on your Desktop.

To identify suspected VX2 files, look at the dates in the log, all will have been created in the month of late Nov and to current. There are other legitimate files that may also be there, so just dont delete everything in the list either.

Using Killbox:

Copy Killbox to your Desktop (Do not run from the download site)

Settings for Killbox
From the menu bar click the "About" and ensure you have version 2.0.0.76 or better.
Select Option Replace on Reboot
From the Dllcompare log copy & paste each full path into the Killbox topmost box.

ie: a fullpath from our sample log would be
D:\WINDOWS\SYSTEM32\dad8.dll
D:\WINDOWS\SYSTEM32\enp2l1~1.dll
etc.

With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Do this for every file you have matching the VX2 criteria, in the dllcompare log.
*in the sample file here, every file matches VX2 parameters and would be input into Killbox.

ie: Top line in Killbox would have the path
D:\WINDOWS\SYSTEM32\dad8.dll
the bottom line would show a dummy file in user Temp directory
D:\Documents and Settings\User\Local Settings\Temp\kbdummy.1


Do this same step for every file in the dllcompare log, (Or each file one of the forum experts/helpers etc. tell you to)

When you get to the last file in the Dllcompare log, also add in one additional file

C:\Windows\System32\Guard.tmp

*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)


On that last file, close all programs and Reboot your computer.


After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat the step 2 again one more time.

Guard.tmp, may still exist as it creates on Shutdown, but is unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.
ie:

C:\WINDOWS\SYSTEM32\guard.tmp

This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.


Please read this carefully
*Be careful to include the correct path to the system32 folder, as drive letters & windows folder names change slightly from system to system
If this is an issue, click the [Browse] button in Killbox and navigate to the guard.tmp manually. (it will always be in the System32 directory, and may need to have File & Folder options to "unhide system files" enabled)


Post back when your ready for further instrucions
Logged




Girlz Rule ...Boyz Drool
____________________________
ALWAYS BACKUP YOUR REGISTRY BEFORE EDITING
tounfite
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 11


Bookmark and Share

View Profile
« Reply #14 on: January 02, 2005, 09:39:50 PM »

quote:
It has seemed to regenerate itself again.
Are you sure when your using Dllcompare and Killbox that no other windows or browsers are open?


Ahum Undecided Eh...the first time I had this browser open to read the instructions carefully while I was using DLLcompare and Killbox.
But now everything was closed.

quote:
Unfortunately you are going to have to start from the beginning rememeber DO NOT REBOOT until ALL dll files are placed into killbox.


It's no problem to do this again.
By now I can do it with my eyes closed Grin

quote:
C:\WINDOWS\SYSTEM32\guard.tmp
This will only require a "Standard File Kill" default setting of Killbox.
If the file does exist, you will see the name guard.tmp in Blue appear. Click the Red X to delete it.


It still stays black and Killbox says: "File does not seem to excist"


(Just in case) Here is the new logfile:

Logfile of HijackThis v1.99.0
Scan saved at 22:41:12, on 2-1-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\MISITRAY.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\misiCTRL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\APPLICATION DATA\EORP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\NETSHOW SERVICES\TOOLS\REXPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\NEWHIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.nl


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = http://www.google.nl
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: fm20egut - {B8018728-E51D-33D7-1F6C-81A28B67D5C7} - C:\WINDOWS\SYSTEM\FM20EGUT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [misiTRAY] C:\WINDOWS\SYSTEM\misiTRAY.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe
O4 - HKCU\..\Run: [Rmar] C:\WINDOWS\Application Data\eorp.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.nl
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.nl
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4253/mcfscan.cab
O16 - DPF: {2F29658D-FB92-4A4F-8FFF-0D1BC1BA52C5} (GlassRoomVoice Control) - http://207.44.234.32/hosts/grh618/GlassRoomVoice.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/zd/kdx.cab
« Last Edit: January 02, 2005, 09:46:26 PM by tounfite » Logged

 
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page March 11, 2019, 04:52:20 AM