Help plz with aim worm i think

Discussion in 'malware problems & news' started by Hallowedman1212, Sep 18, 2003.

Thread Status:
Not open for further replies.
  1. Hey guys ive got a seriuos problem with aim it seems that every once in a while this thing sends a mesage that says Yo!! check out this new camera im getting from best buy then when u click on it a pages comes up that cannot be diplayed and u get this virus thing.

    it messes with u and replaced what u say every like 5 messages witht hat message to otehr peopela dn u dont even know it. plus it turns on and off aim at will doing it whenever it wants. i dont know what to do so plz help!

    If anyone can tell me what to do to fix it ti would be much appreciated thanks very much this things super annoying and me and all my friend shave it now.

    DK
     
  2. Logfile of HijackThis v1.97.2
    Scan saved at 9:14:42 PM, on 9/18/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\winupdat.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Danny\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6BF8D3-06DC-41C4-B752-B66F09308B3D}: NameServer = 206.141.193.55,66.73.20.40

    i found another place where u talked about a aim worm and someone said to use hijackthis.... so i did and this is what i got.. thx for all your help.

    - Broke up a long line to fix thread width problem (see "..." breaks) - LWM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Hi Hallowedman1212,

    It looks like you have a lot of virus/malware problems in there. Do you have an Anti Virus product installed and up to date on your system? Have you done any scans lately with any other tools?

    It might be good to start with an online scan such as the Panda Active Scan, see the link at this page:

    http://www.wilders.org/free_services.htm

    It may cleanup some of this for you. If so, do another HijackThis and post a new log afterwards.
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Also, Spybot S&D would be a good thing to run after the virus scan above, as it may clean some more stuff out prior to doing any manual cleanups with HijackThis.

    http://www.safer-networking.org/
     
  5. This is the new scan

    Logfile of HijackThis v1.97.2
    Scan saved at 1:36:39 AM, on 9/20/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\winupdat.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM95\aim.exe
    C:\Documents and Settings\Danny\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=...
    sbc&.done=http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=...
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=http://sbc.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6BF8D3-06DC-41C4-B752-B66F09308B3D}: NameServer = 206.141.193.55,66.73.20.40

    thats the new scan after the first 2 virus things were done the panda one is still going after its done ill do another one.

    Thanks a ton man u rule
    DK
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Do let us know if the virus scan or Spybot identify any serious problems. A few files / startup keys concerned me in your log, though I'm not sure about them...

    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE

    I'd like to know if the files from these keys were identified as either virus or spyware.

    Hopefully, others will stop by to advise you further. Check back after a while.

    Best Wishes,
    LowWaterMark
     
  7. BWMerlin

    BWMerlin Registered Member

    Joined:
    Aug 11, 2003
    Posts:
    71
    Winsock2 is a worm (W32.Spybot.Worm) and needs to be removed. It is not hard to get rid of just find the location of the file using search and delete it in safe mode (other wise u will get and an error msg saying it is in use). U will also need to disable system restore coz it also hids there. Here is a site that tells u how to remove it (if u can not edit your regeistry then it has disabled it (and mscofig and several other things like atl crtl delete) like it did to me, the guys who wrote this are idiots)

    http://www.sophos.com/virusinfo/analyses/w32spybotb.html
    http://www.symantec.com/avcenter/venc/data/w32.spybot.worm.html
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    WUAUMQR.EXE is a W32/Spybot-B worm variant. Winupdat.exe is almost certainly a trojan, and the rest is indeed spy/adware.

    First, would you please send me a copy of the C:\WINDOWS\winupdat.exe file for analysis, please?
    It would indeed seem to be an all new baddie, and in that case we'd certainly like to forward copies to the developers ASAP!

    We'd appreciate it! :)

    Now check, and have Hijack This fix the following:

    O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [winupdat] C:\WINDOWS\winupdat.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE

    O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab


    Now restart your computer, and delete:

    The C:\WINDOWS\System\WINSTA~1.EXE file
    The C:\WINDOWS\System32\WUAUMQR.EXE file

    And tempoarily rename the C:\WINDOWS\winupdat.exe file to winupdat.bak
     
  9. ok i did everything everyone told me to and heres the new hijack

    Logfile of HijackThis v1.97.2
    Scan saved at 12:43:37 PM, on 9/20/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\WINDOWS\SYSTEM32\tbctray.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Danny\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://rd.yahoo.com/customize/sbcydsl/
    defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*
    http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://login.yahoo.com/config/login?.partner=sbc&.done=
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=
    http://sbc.yahoo.com/
    http://login.yahoo.com/config/login?.partner=sbc&.done=http://sbc.yahoo.com/
    http://login.yahoo.com/config/login?.partner=sbc&.done=
    http://sbc.yahoo.com/http://login.yahoo.com/config/login?.partner=sbc&.done=
    http://sbc.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
    http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
    C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe"
    /server /startmonitor /deaf /nosystray
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\
    IP InSight\IPMon32.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/
    qtplugin.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
    http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
    http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
    http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA6BF8D3-06DC-41C4-B752-B66F09308B3D}:
    NameServer = 206.141.193.55,66.73.20.40


    plz tell me what you think and thatnk you all very much!!!!!!!!!

    DK

    Edited to minimize horizontal scroll
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    A lot better! ;)

    TDS-3 nor Nod32 found anything wrong with the file, but I uploaded the Winupdat.exe file to the Dialogue Science online virus checker, and it deemed it suspicious indeed.

    Have forwarded the file to a number of developers.
     

    Attached Files:

    • DRW.jpg
      DRW.jpg
      File size:
      37.8 KB
      Views:
      545
Loading...
Thread Status:
Not open for further replies.