Hi fcabanski, Thanks for posting your log, and while I do see a couple of items, I would prefer to wait for an expert who will be able to get them all. I can report that your HJT is not in the best place for making the backups it has to be able to make for safety. I would appreciate it if you would follow the directions in this link so you will be prepared to remove the bad stuff when the expert indicates what should go. Thanks much, be patient because of the holiday, and have a great Memorial Day....pskelley http://russelltexas.com/spywareinfo/createhjtfolder.htm
First...thank you for being patient. The enemy is legion and we are few. Print this message as you have a long cleanup and I am compacting several steps into one post. If you're going to use P2P then you'll have to be good on following instructions for cleanup. *;-) After the cleanup I'll show you how to stay clean...I run several P2P's and never get infected by anything. So far anyway. >;->
Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere. If you don't you are going to have about 18 backup files sitting on your wallpaper when we get through wiping out the bad apples.
First major problem: You have a fairly new virus indicated by the file dirote.exe. Information link from TrendMicro AV is here. Norton has nothing on this one to my knowledge, probably not AVG either.
Get updated definitions for AVG although it probably won't detect it. That's OK...we will kill it with Hijackthis in the Registry and delete the virus folder manually.
Scan, check, and fix check this line in Hijackthis:
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following folder:
C:\WINDOWS\System32\f0r0r
Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
Run AVG in Safe mode and see if it detects anything else.
Reboot to normal mode Windows.
Second...you have a Peper infection as indicated by this line:
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Pwbm74i.exe DO NOT FIX that line YET in Hijackthis...you will do so after running the tool at the following link:
With no other windows open click on fix checked button in Hijackthis.
Reboot and run a fresh Hijackthis scan. If you see any 14 character CLSID's in the 04 section that match the pattern described on the Peper webpage then exit and run the tool again.If the Peper entry is not visible then proceed with the rest of the cleanup:
Scan and check these line entries if they are still present:
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab Comments: a real baddie...iSearch Toolbar parasite
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/polarbowler/install.cab Comments: Gray area ActiveX scripts here...optional fix. Let just me say I wouldn't let Wild Tangent within ten feet of my machines at home. If you decide to get rid ot if you will lose the ability to play some games on the Net which are part of the Wild Tangent adware package. Wild Tangent used to have an uninstall in the Wild Tangent Control Panel Applet. But on the machine I cleaned out manually in person Friday, the applet dodn't have this option and instead there were three Wild Tangent entries in Control Panel/Add or Remove Programs. Remove it there if you desire (highly recommended).
With no other windows open click on fix checked button in Hijackthis.
Reboot to SAFE MODE and Show HIDDEN FILES and folders
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following files and/or folders (if they are present):
Files C:\WINDOWS\System32\dp-him.exe C:\WINDOWS\sysupd.exe C:\WINDOWS\System32\crypldlg.exe C:\WINDOWS\System32\wserv32.exe C:\WINDOWS\System32\toolbar.dll C:\WINDOWS\System32\bridge.dll (may not be present)
Folder and/or Folder files C:\WINDOWS\System32\f0r0r (if it is still present) C:\Program Files\AutoUpdate C:\Program Files\SysAI
C:\documents and settings\frank\local settings\temp\ delete all files in temp folder..leave foldername temp intact
Exit Explorer.
Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
Reboot to normal mode Windows.
Download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:
After cleaning with these two programs...Browse a bit and post a new Hijackthis log.
Two final comments... I would get rid of Memturbo. RAM memory managers don't work and they often make things worse. The only solution for RAM performance is buying physical RAM. I've been down this road for 15 years and seen virtually every RAM booster sold. None have been effective in my opinion since the DOS days when several products were useful.
Also...a favor...there is a file I want you to research for me on your computer. When you post back I will ask you for your help on this.
All the best,
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
Sorry about that...they may be down due to a denial of service attack or the tool may have been withdrawn. I have a couple of other peper tools we may use, but for now proceed with the other cleanup sections...the virus, and the rest. We can save peper for last. I am consulting with other experts at Tom Coyote for their advice on which tool we will use for peper if the other one is unavailable.
Edit: Thanks Derf...that was one I am considering and it probably will work. But we have had some pepers resistant lately and the tool on my webpage had been the best up until now. *;-(
It won't hurt to try that one if you wish...it will either work or it won't, but it won't create any problems if it fails. So on second thought....go ahead and try that one suggested by Derf.
Wow..I am impressed! Good job! You worked really hard and the new log results seem to indicate your machine must feel much better.
BTW...I have updated my peper page with the new link to alternative tool (the one Derf suggested). Tom Coyote experts agreed it is a good one. Thanks Derf!
F-Secure is an old buddy of mine...we go back over 15 years. Good choice. Does it find anything in a full system scan? What did the "1000" alerts refer to and is it now settled down?
Any other issues?....your log looks clean, but I'll hold off on all clean message until I hear from you.
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
They don't show in Processes so they should not put up much of a fight. If they do hit Control-Shift-Escape keys at same time and stop that process. Then delete. if they still resist right button click on filename and remove checkmark for Read-Only attributes.
Exit Explorer.
Then run Disk Cleaner again and wax all the stuff deleted. Reboot to normal mode Windows and rescan with F-Secure...see if you can get a location for 2_0_1browserhelper2.dll . I have seen that one before in logs.
Post a fresh log. After we get it all cleaned you will need to flush your Restore Points:
After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus program.
The file was removed: it was 2_0_1browserhelper2.dll. Fsecure is still giving warnings about it, and the popup with the warning won't stop. It says malicious code is found in c:\windows\2_0_1browserhelper2.dll, action cannot be taken. Click on OK, it pops up again immediately.
Logfile of HijackThis v1.97.7 Scan saved at 8:28:47 AM, on 6/7/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Could be a bad install of F-Secure...that program sure does load a ton of processes...looks like it is vying with McAfee to see who can waste more RAM. *;-)
Run Disk Cleaner and see if that helps. If not I would uninstall F-Secure and reinstall it or another AV.
Your log looks fine except for the URL SearchHooks line which is an orphan. It may resist deletion in Hijackthis, so check here for tips on removal. Or leave it, it's fairly benign.
HTH,
Texruss www.russelltexas.com Spyware Fighter Wilders Forum Slyware Warrior Tom Coyote Forum Expert Malware Responder Dell Forum
pskelley
933 Posts
0
May 31st, 2004 15:00
fcabanski
16 Posts
0
June 1st, 2004 19:00
fcabanski
16 Posts
0
June 4th, 2004 01:00
Can't anyone help?
Now the computer will no longer open control panel, and often locks up the network with spyware activity.
HELP!!!!!
Texruss
3.4K Posts
0
June 5th, 2004 20:00
First...thank you for being patient. The enemy is legion and we are few. Print this message as you have a long cleanup and I am compacting several steps into one post. If you're going to use P2P then you'll have to be good on following instructions for cleanup. *;-) After the cleanup I'll show you how to stay clean...I run several P2P's and never get infected by anything. So far anyway. >;->
Warning! Unsafe Hijackthis folder! Please create a new folder named HJT in the first level of the C: drive. Copy or move the hijackthis executable file into the HJT folder and delete all other zip copies and extracted copies elsewhere. If you don't you are going to have about 18 backup files sitting on your wallpaper when we get through wiping out the bad apples.
See FAQ's 2,3,4 at http://russelltexas.com/malware/faqhijackthis.htm
First major problem: You have a fairly new virus indicated by the file dirote.exe. Information link from TrendMicro AV is here. Norton has nothing on this one to my knowledge, probably not AVG either.
Get updated definitions for AVG although it probably won't detect it. That's OK...we will kill it with Hijackthis in the Registry and delete the virus folder manually.
Scan, check, and fix check this line in Hijackthis:
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
Reboot to SAFE MODE and Show HIDDEN FILES and folders (VERY IMPORTANT!)
FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following folder:
C:\WINDOWS\System32\f0r0r
Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
Run AVG in Safe mode and see if it detects anything else.
Reboot to normal mode Windows.
Second...you have a Peper infection as indicated by this line:
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Pwbm74i.exe
DO NOT FIX that line YET in Hijackthis...you will do so after running the tool at the following link:
http://russelltexas.com/malware/peper/pepercomments.htm
After running the tool and fixing the hostile file run Hijackthis, scan and check:
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Pwbm74i.exe
With no other windows open click on fix checked button in Hijackthis.
Reboot and run a fresh Hijackthis scan. If you see any 14 character CLSID's in the 04 section that match the pattern described on the Peper webpage then exit and run the tool again. If the Peper entry is not visible then proceed with the rest of the cleanup:
Scan and check these line entries if they are still present:
R3 - URLSearchHook: (no name) - _{1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [XM5WVdD.exe] C:\documents and settings\frank\local settings\temp\XM5WVdD.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [378h35V] crypldlg.exe
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00002/chm.chm::/files/initial.cab
Comments: a real baddie...iSearch Toolbar parasite
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webinstall/shockwave/Install.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/shockwave/polarbowler/install.cab
Comments: Gray area ActiveX scripts here...optional fix. Let just me say I wouldn't let Wild Tangent within ten feet of my machines at home. If you decide to get rid ot if you will lose the ability to play some games on the Net which are part of the Wild Tangent adware package. Wild Tangent used to have an uninstall in the Wild Tangent Control Panel Applet. But on the machine I cleaned out manually in person Friday, the applet dodn't have this option and instead there were three Wild Tangent entries in Control Panel/Add or Remove Programs. Remove it there if you desire (highly recommended).
With no other windows open click on fix checked button in Hijackthis.
Reboot to SAFE MODE and Show HIDDEN FILES and folders
FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following files and/or folders (if they are present):
Files
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\crypldlg.exe
C:\WINDOWS\System32\wserv32.exe
C:\WINDOWS\System32\toolbar.dll
C:\WINDOWS\System32\bridge.dll (may not be present)
Folder and/or Folder files
C:\WINDOWS\System32\f0r0r (if it is still present)
C:\Program Files\AutoUpdate
C:\Program Files\SysAI
C:\documents and settings\frank\local settings\temp\ delete all files in temp folder..leave foldername temp intact
Exit Explorer.
Run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.
Reboot to normal mode Windows.
Download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:
http://www.cjwd.demon.co.uk/spybot-adaware.html
After cleaning with these two programs...Browse a bit and post a new Hijackthis log.
Two final comments... I would get rid of Memturbo. RAM memory managers don't work and they often make things worse. The only solution for RAM performance is buying physical RAM. I've been down this road for 15 years and seen virtually every RAM booster sold. None have been effective in my opinion since the DOS days when several products were useful.
Also...a favor...there is a file I want you to research for me on your computer. When you post back I will ask you for your help on this.
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
fcabanski
16 Posts
0
June 6th, 2004 02:00
The link to peperfix is page not found.
Did a google search for it, and there are no working links to peper fix.
Texruss
3.4K Posts
0
June 6th, 2004 03:00
Sorry about that...they may be down due to a denial of service attack or the tool may have been withdrawn. I have a couple of other peper tools we may use, but for now proceed with the other cleanup sections...the virus, and the rest. We can save peper for last. I am consulting with other experts at Tom Coyote for their advice on which tool we will use for peper if the other one is unavailable.
Edit: Thanks Derf...that was one I am considering and it probably will work. But we have had some pepers resistant lately and the tool on my webpage had been the best up until now. *;-(
It won't hurt to try that one if you wish...it will either work or it won't, but it won't create any problems if it fails. So on second thought....go ahead and try that one suggested by Derf.
Texruss
Message Edited by Texruss on 06-06-2004 12:04 AM
Dave Lyle
2 Intern
•
2K Posts
0
June 6th, 2004 03:00
fcabanski
16 Posts
0
June 6th, 2004 06:00
Used a different pepper fix, and completed all steps.
F-Secur came up with 1000 warning messages after all these steps were complete. Here is the Hijack log. Thanks for all the help:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\winhlp32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [Update Service] C:\WINDOWS\System32\toxgid.exe
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\vutzngyw.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Add to PrivUrl (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8B36EE17-F914-4D89-B2BA-612394ECF3B1} (MakeDesk Class) - http://www.ladydream.com/activex/desktopicon/mkdesk.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.8079050926
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
Texruss
3.4K Posts
0
June 6th, 2004 14:00
Wow..I am impressed! Good job! You worked really hard and the new log results seem to indicate your machine must feel much better.
BTW...I have updated my peper page with the new link to alternative tool (the one Derf suggested). Tom Coyote experts agreed it is a good one. Thanks Derf!
F-Secure is an old buddy of mine...we go back over 15 years. Good choice. Does it find anything in a full system scan? What did the "1000" alerts refer to and is it now settled down?
Any other issues?....your log looks clean, but I'll hold off on all clean message until I hear from you.
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
fcabanski
16 Posts
0
June 6th, 2004 16:00
Fsecure found:
Backdoor.Rbot.gen
Exploit.WIn32.RPCLSA.01.c
TrojanClicker.Win32.Delf.r
TrojanDownloader.Win32.VB.cw
It renamed three for further action by me, and couldn't do anything with TrojanClicker. This was in 2_0_1browserhelper2.dll and could not be renamed.
I removed the other renamed files.
Texruss
3.4K Posts
0
June 6th, 2004 18:00
Oops...glad I rechecked...several baddie Trojans still. Mea culpa...Sunday daydreaming I guess:
Scan, check, and fix checked these (Use Safe Mode Hijackthis):
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [Update Service] C:\WINDOWS\System32\toxgid.exe
O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\vutzngyw.exe
O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
Exit Hijackthis. Run Windows Explorer, enable Hidden Files option and delete:
C:\Windows\System32\wuamagr32.exe
C:\WINDOWS\System32\toxgid.exe
C:\WINDOWS\System32\vutzngyw.exe
C:\WINDOWS\System32\lsrv.exe
They don't show in Processes so they should not put up much of a fight. If they do hit Control-Shift-Escape keys at same time and stop that process. Then delete. if they still resist right button click on filename and remove checkmark for Read-Only attributes.
Exit Explorer.
Then run Disk Cleaner again and wax all the stuff deleted. Reboot to normal mode Windows and rescan with F-Secure...see if you can get a location for 2_0_1browserhelper2.dll . I have seen that one before in logs.
Post a fresh log. After we get it all cleaned you will need to flush your Restore Points:
After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus program.
See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm
Cheers,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
fcabanski
16 Posts
0
June 7th, 2004 02:00
After completing the last steps, here is hijack this log. Browserhelper2.dll is in the c:\windows dir.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Anti-Virus\FSGUI\fsavgui.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Add to PrivUrl (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8B36EE17-F914-4D89-B2BA-612394ECF3B1} (MakeDesk Class) - http://www.ladydream.com/activex/desktopicon/mkdesk.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.8079050926
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
Texruss
3.4K Posts
0
June 7th, 2004 03:00
Delete it please in Safe Mode Windows Explorer.
C:\Windows\Browserhelper2.dll
Any issues? and please post a new log with the full Hijackthis header...the part that says Windows version and Hijackthis version.
Texruss
fcabanski
16 Posts
0
June 7th, 2004 12:00
The file was removed: it was 2_0_1browserhelper2.dll. Fsecure is still giving warnings about it, and the popup with the warning won't stop. It says malicious code is found in c:\windows\2_0_1browserhelper2.dll, action cannot be taken. Click on OK, it pops up again immediately.
Logfile of HijackThis v1.97.7
Scan saved at 8:28:47 AM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Add to PrivUrl (HKCU)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {67914C73-6B13-4365-8052-06C1C765CD20} (UAClientControl Control) - http://www.ultimatearena.com/UAClientControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8B36EE17-F914-4D89-B2BA-612394ECF3B1} (MakeDesk Class) - http://www.ladydream.com/activex/desktopicon/mkdesk.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38050.8079050926
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (Sony Pictures Game Downloader) - http://www.sonypictures.com/charliesangelsgame/SonyPicturesGameDownloader.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
Texruss
3.4K Posts
0
June 7th, 2004 16:00
Could be a bad install of F-Secure...that program sure does load a ton of processes...looks like it is vying with McAfee to see who can waste more RAM. *;-)
Run Disk Cleaner and see if that helps. If not I would uninstall F-Secure and reinstall it or another AV.
Your log looks fine except for the URL SearchHooks line which is an orphan. It may resist deletion in Hijackthis, so check here for tips on removal. Or leave it, it's fairly benign.
HTH,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum