New kid (Spyware-Virus) in town - Smartsearch.ws

To whom this may concern!

Hello,

I have a new one to be added to the list, it is called "smartsearch.ws".

My computer was infected by this and my IE 6 (PC) was set to "smartsearch.ws".

My search page was also the same.

Plus, I had 3 viruses in my machine.

Now, here are 3 .cpy files that were infected, luckily I was able to do a "system restore" as I am still unable to delete or clean these files.
- A0077127.CPY
- A0077128.CPY
- A0077203.CPY

Now, these files "may" differ from system to system, so, please be on guard!

I was unable to find any information on the Internet regarding this new kid, but I know he's from the Orient.

Plus, my "hosts.sam" file in windows\system folder had an entry added "127.0.0.1" and it seems to want to call this server in order to download new files / installed on a computer.

There was also an .exe with a virus named "Q230903.exe".

If anyone is reading this, I hope something can be done about it, and fast!!!

I did a virus scan online, and it found a virus called "Proxy-Hino.dldr" which it did not recognize. Most bizarre! Also "Downloader-EQ" associated with "lexbac.exe" and "lexbacc.exe".

Please forward my message to anyone who will listen my heed of warning!

Thanks for reading!

Roger

 

Hi Roger,

Welcome at Wilders.

This is a variant of CWS that was first discovered yesterday.
Please download and run CWShredder

Then please follow the instructions in this post:
http://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Hello Pieter,

Thank you very much.

It seems I was one of the "pioneers" if I could say that was caught by this.

I have a firewall program, but let my guard down. I will install that program you left as a link, I appreciate it very much!

I will contact my local police as well as the RCMP here in Canada to investigate this matter as well.

Best regards,

Roger

 

Hi Roger,

I had the "pleasure" of running that file (mine was called directx.exe) myself, because I wanted to find out what exactly it did.

Not funny. It rewrites all three startup entries to the registry every second. Plus 18 counts of a browser-hijack.

I am not sure if all possible filenames were added to CWShredder, so if you have any problems, feel free to post your HijackThis log.

Regards,

Pieter

 

Thank you Pieter,

I will do that!

I appreciate all the help and I will contribute to the forum as much as I possibly can!

Best regards,

Roger

 

CWS Shredder

Pieter,

I have run CWS shredder and came up with these results...
---------------------------------------------------------
Found Hosts file: C:\WINDOWS\hosts (25 bytes, A)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2144 bytes, A)
Found Win.ini file: C:\WINDOWS\win.ini (10206 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2302 bytes, A)
Found line in System.ini: shell=Explorer.exe

---------------------------------------------------------

Anything bad in here?

Roger

 

Hi Roger,

Not necessarily, but it never hurts to use the Fix button.
Make sure to close all browser windows.

Regards,

Pieter

 

Hello Pieter,

Seems all is fine. Here is my log :

Done!
Your system was completely clean.

Windows ME (4.90.3000 )
CWShredder v1.44.1

------------------------------

I think in having done a "system restore", (which I rarely do), did fix my problem in the first place.

I do find that my system doesn't run as it used to... but will have to live with it for the time being.

The virus files have been removed, yet, not all of them.

The .cpy files as noted in my original message remain infected, and I am unable to delete them. I have no way to remove the write protection in the folder or file(s). These are under my "c:\_restore\temp" folder or anything else residing under "c:\_restore".

I did manage to do it "once", but I can't remember how I did it.

I am pretty good with a PC, but this one's got me "stumped"

Best regards,

Roger

 

Hi Roger,

If you haven't already, you might try this:

1. Click Start, Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box will appear.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

3. Click the Performance tab, and then click File System.
4. Click the Troubleshooting tab, and then check Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.

Run your up to date antivirus.

Once you have cleaned the virus or other problem from the computer, reenable System Restore.

Good luck.

 

Ok, first time poster Got this today and I've tried all the regular progs to get rid of this sucker but its still here

I'm running Win 2000 ver 5.00.2195, Service Pack 4

IE ver 6.0.2800.1106IS

I ran Adaware, found problems, fixed, then reboot.
Ran Spybot S&D, found problems, fixed, then reboot.
Ran Hijack This, found problems, fixed, then reboot.

And still this damn hijacker is still here. I even ran cwshredder and it said it removed the smartsearch files, but when I open my browser, its right back to square one.

Anyways, here's my hijackthis log.

Logfile of HijackThis v1.97.3
Scan saved at 8:25:15 PM, on 1/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\System\systeem.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Big Files Downloaded\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Windows Messenger] C:\Program Files\BPK\Windows Messenger.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37995.8039351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I killed all the obvious ones, but they keep coming back.

Any help is definately appreciated.

 

hey dek,
will u plz download spywareblaster frm http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. This includes general spyware and malicious dialers. It also blocks a list of known spyware related cookies in IE6. ...LWM
and ofcourse do run adware spybot hijackthis and fix the probz and then see whether the problems exist...
thx

 

Paul,
with regards to u... i kno that he has already done that... but as thoz were not doin the needful... thats y i told the poster to download spywareblaster first... run that.. and ofcourse do run adware spybot hijackthis and fix the probz and then see whether the problems exist... (if possible run spywareblaster again)
(one more thing i shud say... if u have done the blaster run part too... then i think this post of mine shud be reconsidered )
i think i read it closely
thx

 

Hi Dek

I take it you are sure you have the latest version of CWShredder?

Can you please close out of all programs windows and select and fix the following...

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=

And if you did not intend to install this presumed keylogger on your machine I recommend you select and fix it...

O4 - HKLM\..\Run: [Windows Messenger] C:\Program Files\BPK\Windows Messenger.exe

Also, if you are at all unsure of the following you should select and fix the following two...

O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe

Once you have done this please reboot and post a fresh log and await word from Pieter, Unzy or Tony

There is no need to run SpywareBlaster multiple times (except of course to update it). As it is not a scanner the only time you need to run it is for updates.

Regards,

Dan

 

Ok, I did everything reccomended, its still here

Dan - I followed your instructions, got rid of everything you said, upon reboot most of it comes right back. Also, my CWshredder is the current version.

Here's the latest log :

Logfile of HijackThis v1.97.3
Scan saved at 12:01:31 AM, on 1/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\System\systeem.exe
E:\Big Files Downloaded\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartsearch.ws
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartsearch.ws/?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartsearch.ws/?q=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://smartsearch.ws/?q=
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe
O4 - HKCU\..\Run: [SystemEmergency] C:\Program Files\Common Files\System\systeem.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O13 - DefaultPrefix: http://smartsearch.ws/?q=
O13 - WWW Prefix: http://smartsearch.ws/?q=
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37995.8039351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Well, I won't be back here until Monday night, guess the day shift guy will have to deal with it

Thanks.

 

Hi dek,

When you read this on Monday, please download and run CWShredder.

At the off chance that that does not work:
Bring up TaskManager and end-task systeem.exe

Then fix the items Dan listed (including the lines containing systeem.exe) in HijackThis and reboot.

Regards,

Pieter

 

hi, i also have the smartsearch thing on my computer. it is stopping me from being able to use various search engines which annoys me. I have downloaded the suggested programs to be rid of it i.e cwshredder and spyware blaster but the smartsearch thing still remains on my computer. I also wasn't able to do system restore because it wasn't enabled on my computer before the smartsearch thing came onto it. Is there anyone that can help me and tell me how to get rid of this smartsearch problem?

thankyou

 

Hi ..MK..,

Sure. PLease follow the instructions here http://www.wilderssecurity.com/showthread.php?t=15913 on how to post your HijackThis log and I'm sure we can assist you in getting rid of it.

Regards,

Pieter

 

Topic moved

 

Pieter,

Ran CWshredder and it was still coming back. Opened up task manager, stopped systeem.exe, ran hijackthis, eliminated all traces of it, ran CWshredder and rebooted.

Success!

Thanks!!!

Here's my hijackthis log

Logfile of HijackThis v1.97.3
Scan saved at 4:45:53 PM, on 1/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\atm.DESKTOP5\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37995.8039351852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi dek,

Excellent job.
Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

Regards,

Pieter