Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijacked


  • This topic is locked This topic is locked
15 replies to this topic

#1 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 19 December 2005 - 12:57 AM

Well, my gf's pc has been hijacked. Any help is greatly appreciated. I'm not too sure what it is, except that iema.exe, atlzf32.exe, 4.tmp.exe, and 3.tmp.exe now appear as running processes and these are not normal to her machine. Her desktop has been jacked to look like this:
Posted Image

Notice in the icon tray, the red circle with the white X icon. That was not there before. It reads "your pc is infected" when the mouse pointer is pointed over it.

Here's a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:52:51 AM, on 19/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\atlzg32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\iema.exe
C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
C:\winstall.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Priya Pancholi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4C5A0138-D271-3EAB-F478-58D6F5E05933} - C:\WINDOWS\system32\d3bj32.dll
O2 - BHO: Class - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netvn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [iema.exe] C:\WINDOWS\system32\iema.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [3.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\RunOnce: [atlzg32.exe] C:\WINDOWS\atlzg32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c135.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1862E5E3-645E-44CF-A2B2-2A8BD96866BF}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntpy32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


Help me eliminate any existance of this carp** off her machine. I'll probably have you guys look at mine next once this is done. :) Thanks,

Rami.

    Advertisements

Register to Remove


#2 dtschorn

dtschorn

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 19 December 2005 - 06:46 AM

Hi there, I just had this problem and was helped in this thread:

http://forums.tomcoy...showtopic=53909

#3 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 19 December 2005 - 08:21 AM

Hi there, I just had this problem and was helped in this thread:

http://forums.tomcoy...showtopic=53909


Thanks. However, I didn't see atlzf32.exe in your processes, so who knows. Before I do as directed in the other thread, I'll wait for a response from at least a Junior just before I proceed just to be on the safe side. I do appreciate your help.

#4 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 21 December 2005 - 11:04 AM

bump I'd like to get some verification here. While using the PC, MS-Paint popped up and an image of a star was drawn. Someone is definitely doing some shady stuff here. Help is greatly appreciated and quickly needed!

Edited by NeoBabylonian, 21 December 2005 - 11:12 AM.


#5 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 29 December 2005 - 06:30 PM

Ok, it's been well over 5 days and no replies. Is anyone out there?

#6 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 31 December 2005 - 05:32 AM

Yes sorry but when the newbeeee post to your thread it made it look like someone was helping you. Post another log pleasefrom hijackthis.

#7 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 31 December 2005 - 01:24 PM

Yes sorry but when the newbeeee post to your thread it made it look like someone was helping you.

Post another log pleasefrom hijackthis.


I'll be on my girl's machine tonight or tomorrow morning and I'll get that log to you very soon. Thanks man. I really appreciate it.

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 31 December 2005 - 01:29 PM

;) I'll get to it as soon as I can. :)

#9 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 01 January 2006 - 09:58 PM

Here it is man. Thanks a ton!

Logfile of HijackThis v1.99.1
Scan saved at 10:57:03 PM, on 01/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\iegh32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\iema.exe
C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
C:\winstall.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Priya Pancholi\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4C5A0138-D271-3EAB-F478-58D6F5E05933} - C:\WINDOWS\system32\d3bj32.dll
O2 - BHO: Class - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netvn32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [iema.exe] C:\WINDOWS\system32\iema.exe
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [3.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\RunOnce: [iegh32.exe] C:\WINDOWS\iegh32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c135.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1862E5E3-645E-44CF-A2B2-2A8BD96866BF}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntpy32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE



#10 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 01 January 2006 - 10:16 PM

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Download CWShredder to your desktop.
Please do not do anything with it yet.

Download AboutBuster also to your desktop.
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Run AboutBuster.exe. Then hit Ok, note that there is now an update
button. Hit update and 'Check for Update'. If there is a newer
version hit 'Download Update'.You should not run the program yet so click "Exit.

Download cwsserviceremove.zip.
Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.

And last one we need to Download System Security Suite v1.04 here
Tutorial here.


Now reconfigure Windows to show hidden files insturctions here.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Reboot in safe mode insturctions here.

Close all programs leaving only HijackThis running. Place a check against each of the following, Click on Fix Checked when finished and exit HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qlmat.dll/sp.html#10001%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {4C5A0138-D271-3EAB-F478-58D6F5E05933} - C:\WINDOWS\system32\d3bj32.dll
O2 - BHO: Class - {846C8D01-5152-7880-199F-7570BAA19867} - C:\WINDOWS\system32\netvn32.dll
O4 - HKLM\..\Run: [3.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [3.tmp.exe] C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c135.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O23 - Service: Network Security Service ( 11Fßä##·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\ntpy32.exe (file missing)


Using Windows Explorer, locate the following files/folders, and delete them:

C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\3.tmp.exe
C:\DOCUME~1\PRIYAP~1\LOCALS~1\Temp\4.tmp.exe
C:\winstall.exe
C:\WINDOWS\system32\ntpy32.exe


Run CWShredder:
Double-click on CWShredder.exe.
Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit".

Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

Run AboutBuster and save the logs:
Run AboutBuster.exe.
Click OK at the directions prompt.
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I need a copy of it.

Run 3S under “Items To Clear” tab place a checkmark in all of them but the last.

Restart your computer normally to return to normal mode.

Run two AV scans, allow them to delete whatever they find:
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed.
Hopefuly the only thing that cann't be fix is in your system restore, Which we need to clean out later.


Then post a fresh HijackThis log and the AboutBuster log back into this thread. With out the quotes.
Please note any complications you had and anything instructions that you could not Follow.

    Advertisements

Register to Remove


#11 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 02 January 2006 - 04:04 AM

Ok, here goes!

------------------------------------------------------------------------------------------------------------------
Latest HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 4:44:57 AM, on 02/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Priya Pancholi\Desktop\Security Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1862E5E3-645E-44CF-A2B2-2A8BD96866BF}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------------------------------
Latest AboutBuster Log

AboutBuster 5.1, reference file 3
Scan started on [02/01/2006] at [4:29:22 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 4:29:26 AM

------------------------------------------------------------------------------------------------------------------


Here are a few things I'd like to mention:
(1) ntpy32.exe was not found during the safe mode hijackthis run. I found it during normal mode and zapped it.
(2) iema.exe was found during the safe mode hijackthis run. I deleted it even though you did not state for me to do so.
(3) there was an issue using sss in safe mode. The following notification appeared when I clicked on "clear selected items" : "Access violation in address xxx in module sss.exe." However, I re-ran sss in normal mode and the notification did not appear.
(4) panda active scan found malicious items but I did not fix anything with their tools. No free option to fix was available for me. I went through the log myself and zapped anything related spyware as necessary
(5) eTrust also found malicious items. I did the same as for panda...hand search and destory!
(6) "backups" and "2001022409420406_files" folders were created on my desktop. I deleted them since they containted infected files. I hope that wasn't a mistake!
(7) Almost everything is back to normal except that startup time is still very slow...startup meaning, after I'm logged into windows, it takes a couple minutes before the desktop or any icons appear. That was never the case. Also, I'm not being allowed to change the desktop's background image. The "Infected" image I posted in the 1st post is gone, since I zapped the file, but I'm not being allowed to use anything else. In the "Display Properties" and under "Desktop" tab, I can't access the "Background", "Browse", or "Position" options for changing the desktop background appearance. Any ideas of what this could be?

Sorry if anything I wrote didn't make any sense. It's 5am and I've been up all night getting this machine running right. Items in #7 are the only things left unfixed from my prespective. You may see otherwise from your infinite knowledge and the HijackThis log. :) Thanks again for all the help and time. I've actually learned quite a bit doing this. :thumbup:

#12 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 January 2006 - 05:52 AM

Close all programs leaving only HijackThis running. Place a check against each of the following,

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Click on Fix Checked when finished and exit HijackThis.


To create a mergeable .reg file follow these simple instructions

1) Create a new file on your Desktop with Notepad
2) Copy the information with CTRL+C from the reg file on this page starting with the line that reads REGEDIT4.
3) Paste the information into the Notepad file
4) You must hit the Enter Key to place an extra line at the end
5) Then save it with a descriptive name and the extension .reg
6) Double click to merge it into your registry. That's it.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop"="%USERPROFILE%\\Desktop"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Custom Desktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
70,00

[HKEY_CURRENT_USER\Control Panel\desktop]
"ConvertedWallpaper"="C:\\WINDOWS\\Web\\Wallpaper\\Windows XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,88,40,84,d3,2b,c1,01
"OriginalWallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"
"Wallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Desktop"=hex(2):25,00,41,00,4c,00,4c,00,55,00,53,00,45,00,52,00,53,00,\
50,00,52,00,4f,00,46,00,49,00,4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,\
00,74,00,6f,00,70,00,00,00

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
70,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"ComponentsPositioned"=dword:00000001
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,74,5c,\
57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"BackupWallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,\
74,5c,57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"WallpaperFileTime"=hex:00,77,28,0a,07,2e,c5,01
"WallpaperLocalFileTime"=hex:00,37,05,fc,c3,2d,c5,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"="C:\\WINDOWS\\Web\\SafeMode.htt"
"VisitGallery"=dword:00000000



#13 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 02 January 2006 - 11:52 AM

Wow little eagle, thanks man. Everything runs and looks very normal.

Just in case, here's a last HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:51:10 PM, on 02/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Priya Pancholi\Desktop\Security Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll (file missing)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howu...nload/appdl.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1862E5E3-645E-44CF-A2B2-2A8BD96866BF}: NameServer = 68.94.156.1 68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

#14 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 02 January 2006 - 12:39 PM

Not seeing anything wrong here :D
Not to sure about this one but you can delete it it will come back if you visit the site.
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.rich...st/twophase.cab

To help keep your PC clean follow the recommendations in Tony Klein's article
So how did I get infected in the first place?

#15 NeoBabylonian

NeoBabylonian

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 02 January 2006 - 11:56 PM

Thanks again. I'll probably continue to visit this site. There's some very useful information here.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users