CommonName Pain

Discussion in 'adware, spyware & hijack cleaning' started by farley, May 24, 2004.

Thread Status:
Not open for further replies.
  1. farley

    farley Registered Member

    Joined:
    May 21, 2004
    Posts:
    5
    Hello,

    I had several spyware problems last week and eliminated (I think) most of them. However, my browser is still getting hijaked periodically, and I'm getting popups on startup.

    Have run Adaware and SpyBot, which keeps finding and eliminating "CommonName." So I guess that's the ticket. After running both these programs, here is my HijakThis log. Any help would me much appreciated.

    ========================

    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:34 PM, on 5/23/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\INTERNET KEYWORD\INETMGR.EXE
    C:\WINDOWS\SYSTEM\HPDLLHOST.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\GURUNET\GURUNET.EXE
    C:\PROGRAM FILES\INTERNET KEYWORD\INETSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\agtexe16.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
    O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTBHO.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRAM FILES\INTERNET KEYWORD\INETKW.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\INETMGR.EXE
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\SYSTEM\READDB40.DLL,EnableRunDLL32
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\subieos.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {13E23C9E-3018-4AC1-B998-C08BF1814DB0} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.972025463
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-a.mhi.aol.com/netagent/objects/custappx2.CAB
     
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello farley,

    Before you start, please move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a folder with other programs.

    Please closedown all the browser windows, window instances and have hijacthis fix the following entries.

    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
    O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINDOWS\SYSTEM\READDB40.DLL,EnableRunDLL32
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\subieos.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


    The entries in Navy color is optional to remove but recommended because it's a mjor resource hog.

    Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...
    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present, delete the following file..

    C:\WINDOWS\SYSTEM\subieos.exe
    C:\WINDOWS\SYSTEM\READDB40.DLL
    C:\WINDOWS\SYSTEM\hpdllhost.exe

    Reboot your machine and boot into normal mode.

    Rescan your machine with hijackthis and please post a fresh log..

    With Thanks !
    Newkid !
     
  3. farley

    farley Registered Member

    Joined:
    May 21, 2004
    Posts:
    5
    Hey thanks, New Kid,

    I did as you said, and here's the log. Btw, only found C:\WINDOWS\SYSTEM\hpdllhost.exe

    ===================

    Logfile of HijackThis v1.97.7
    Scan saved at 1:47:02 AM, on 5/24/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\INTERNET KEYWORD\INETMGR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\GURUNET\GURUNET.EXE
    C:\PROGRAM FILES\INTERNET KEYWORD\INETSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\agtexe16.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\DESKTOP\SECURITY\HIJAKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
    O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTBHO.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRAM FILES\INTERNET KEYWORD\INETKW.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\INETMGR.EXE
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\subieos.exe
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {13E23C9E-3018-4AC1-B998-C08BF1814DB0} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.972025463
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-a.mhi.aol.com/netagent/objects/custappx2.CAB

    =============

    cheers...
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Farley,

    Sorry, I forgot to mentioned to fix the LOP infection entries.

    Please closedown all the browser windows, window instances and have hijacthis fix the following entries.

    O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRAM FILES\INTERNET KEYWORD\INETKW.DLL

    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\SYSTEM\subieos.exe
    O4 - HKLM\..\Run: [000hpdllhost] C:\WINDOWS\SYSTEM\hpdllhost.exe

    The entries in Navy color is optional to remove. It's typically infrequently used tasks that can be started manually if necessary..

    Atlast, I'm not sure what these are whatsoever :p

    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\INETMGR.EXE

    Reboot your machine and boot into safe mode by tapping F8 key(8-9 times) at bootup.

    This may happen that file is hidden so first unhide the files using following instructions...

    http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

    Search and If present, delete the following file..

    C:\WINDOWS\SYSTEM\subieos.exe
    C:\WINDOWS\SYSTEM\hpdllhost.exe
    C:\PROGRA~1\INTERNET KEYWORD\ <- Delete complete folder

    Still in safe mode, I recommend you to please scan your machine online at http://housecall.trendmicro.com/. Don't foget to check the 'Autoclean' checkbox there.

    Reboot your machine and boot into normal mode.

    Rescan your machine with hijackthis and please post a fresh log..

    With Thanks !
    Newkid !
     
  5. farley

    farley Registered Member

    Joined:
    May 21, 2004
    Posts:
    5
    Hello again,

    Sorry for the delay, but I haven't been able to get back to this until now.

    I got online a couple of hours ago and did a couple of things before checking back on this site. I definitely still had a spyware. It is throwing up popups and making everything slow down. Did a spybot scan, which again found CommonName. Grrrr.

    I then came back here and did everything you said. I didn't delete this file, though, as you said you weren't sure what it was:
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\INETMGR.EXE

    I then went to http://housecall.trendmicro.com/ and did their scan. I told me I had a virus (Troj_vivia.a) that was uncleanable. I did "delete" it though, but don't know if that did anything. I also went to the directions on their site to delete "troj_viva" but wasn't about to find the files in regedit that they said would be there (I probably shouldn't be messing around in regedit anyway).

    One thing. I wasn't about to do this scan in safe mode as you suggested because I couldn't get online in safe mode.

    Finally, I rebooted and did another spybot (found nothing) scan and then an adaware (found a bunch of crap, which I deleted) scan. Then did a hijackThis scan. Here is the log.

    ======================================
    Logfile of HijackThis v1.97.7
    Scan saved at 10:48:32 PM, on 5/24/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\GURUNET\GURUNET.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\agtexe16.exe
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\DESKTOP\SECURITY\HIJAKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
    O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\PROGRAM FILES\COMMON FILES\ATOMICA SHARED\AGTBHO.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\INETMGR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: GuruNet.lnk = C:\Program Files\GuruNet\GuruNet.exe
    O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {13E23C9E-3018-4AC1-B998-C08BF1814DB0} - http://ftp.gurunet.com/pub/cabs/GNInstaller.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38107.972025463
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-a.mhi.aol.com/netagent/objects/custappx2.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    ===========================

    So appreciate your help.
     
  6. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Farley,

    Your new logs looks clean to me. :) Is everything back to normal ?

    Now, We recommend you to have a look on the following Link :

    how did I get infected in the first place?.

    With thanks !
    Newkid !
     
  7. farley

    farley Registered Member

    Joined:
    May 21, 2004
    Posts:
    5
    Hey New Kid,

    I probably won't know if everything is back to normal until I reboot tomorrow. Going to bed right now though.

    I went to the website you recommended and followed (or will follow tomorrow -- yawn) the directions.

    Thanks again for you help.

    And I have only one more question. Were you really born in 1989? If so, would you please lie to me. You're making me feel old.

    Cheers,

    Farley
     
  8. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Farley,

    Will you please confirm whether your issue sorted out or not ? If your issue is sorted out then i'll request admin to close this thread.

    Sorry to say, but it's True... :D :D

    With Thanks !
    Newkid !
     
Thread Status:
Not open for further replies.