Hijack This Log File...

Discussion in 'adware, spyware & hijack cleaning' started by arko, Jul 20, 2004.

Thread Status:
Not open for further replies.
  1. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    Hello,

    I've run spybot and determined I have CleverIEHooker.jeired and DSO Exploit... I also had CoolWWWSearch and Vx2/f show up before but they seem to have been taken care of... Here is the lof from Hijack this, any help will be greatly appreciated...

    Thanks
    Matt
    -----

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\gklgtoir.exe
    C:\documents and settings\owner\local settings\temp\1FI.exe
    C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\mobevent.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINDOWS\System32\typec.exe
    C:\WINDOWS\System32\winnt$$.exe
    C:\WINDOWS\System32\sawtm.exe
    C:\WINDOWS\System32\Sak0lQS.exe
    C:\WINDOWS\System32\Yvyu10.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\America Online 7.0\waol.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=11340
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\k4we18vz8d.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [kdxybshhd] C:\WINDOWS\System32\gklgtoir.exe
    O4 - HKLM\..\Run: [1FI] C:\documents and settings\owner\local settings\temp\1FI.exe
    O4 - HKLM\..\Run: [uNuI2EL6] C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\TafqXPmo.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [sawtm] C:\WINDOWS\System32\sawtm.exe
    O4 - HKLM\..\Run: [typec] C:\WINDOWS\System32\typec.exe
    O4 - HKLM\..\Run: [winnt$$] C:\WINDOWS\System32\winnt$$.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [g047RXiml] mobevent.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D4F7E5-52EA-421D-9A2D-A381802EEE45}: NameServer = 205.188.146.146
     
  2. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    still need help... thankyou...
     
  3. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    bump....
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

    1. Open My Computer
    2. Right click on your hard drive that you wish to clean (C drive, for example)
    3. In the context menu that opens, select properties
    4. Under the general tab you should select Disk Cleanup
    5. Windows will scan your drive which will take a few seconds/minutes
    6. A box will display the various files you can remove. Here are some safe examples:

    Temporary Internet Files
    Recycle Bin
    Temporary Files

    7. Click OK and windows will comply.

    Reboot and post a new log here. Make sure you post the entire log. I want to see the top part that tells me your system and what versions you have.
     
  5. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    I did what you told and here is the new log file... Thankyou for the help.
    -Matt

    ------

    Logfile of HijackThis v1.97.7
    Scan saved at 8:18:03 PM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\gklgtoir.exe
    C:\documents and settings\owner\local settings\temp\1FI.exe
    C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\mobevent.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\toshiba\ivp\ism\ivpsvmgr.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\isvcc.exe
    C:\WINDOWS\System32\Gnku.exe
    C:\WINDOWS\System32\Gnku.exe
    C:\WINDOWS\System32\utoconva.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\k4we18vz8d.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [kdxybshhd] C:\WINDOWS\System32\gklgtoir.exe
    O4 - HKLM\..\Run: [1FI] C:\documents and settings\owner\local settings\temp\1FI.exe
    O4 - HKLM\..\Run: [uNuI2EL6] C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Erl6AX.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [acxgkory] C:\WINDOWS\System32\acxgkory.exe
    O4 - HKLM\..\Run: [crruns] C:\WINDOWS\System32\crruns.exe
    O4 - HKLM\..\Run: [isvcc] C:\WINDOWS\System32\isvcc.exe
    O4 - HKLM\..\Run: [utoconva] C:\WINDOWS\System32\utoconva.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [g047RXiml] mobevent.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    You have the peper trojan. Download the following File:
    http://downloads.subratam.org/PeperFix.exe

    Double CLick on it and press 'Find and Fix'.

    The program will scan your hard drive for Peper file, move them, reboot, then delete them.

    Next,

    Download Registrar Lite from here:
    http://www.resplendence.com/download/reglite.exe

    Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

    Copy and paste the follow text into the address bar, then hit 'Go':
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

    In the pane on the right are the values associated with that key.
    We want to remove these:
    {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
    _{707E6F76-9FFB-4920-A976-EA101271BC25}
    Notice the underscore at the end and beginning of these.

    Right click on it, and select delete.
    If you get a confirmation question, respond OK then close out the program.


    Run HJT again and check these items and then on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll

    O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\k4we18vz8d.dll

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)

    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [1FI] C:\documents and settings\owner\local settings\temp\1FI.exe
    O4 - HKLM\..\Run: [uNuI2EL6] C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Erl6AX.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [acxgkory] C:\WINDOWS\System32\acxgkory.exe
    O4 - HKLM\..\Run: [crruns] C:\WINDOWS\System32\crruns.exe
    O4 - HKLM\..\Run: [isvcc] C:\WINDOWS\System32\isvcc.exe
    O4 - HKLM\..\Run: [utoconva] C:\WINDOWS\System32\utoconva.exe
    O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - HKCU\..\Run: [g047RXiml] mobevent.exe
    O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Startup: PowerReg Scheduler V3.exe

    Reboot the computer into safe mode

    Because XP will not always show you hidden files and folders by default.
    Reset your search settings first.

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders

    Find and delete these files/folders:

    C:\WINDOWS\alchem.exe
    C:\Program Files\TV Media .................Folder
    C:\documents and settings\owner\local settings\temp\1FI.exe
    C:\documents and settings\owner\local settings\temp\uNuI2EL6.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\Program Files\AutoUpdate ................Folder
    C:\WINDOWS\system32\pcs .....................Folder
    C:\Program Files\Common Files\Dpi ..............Folder
    C:\WINDOWS\System32\acxgkory.exe
    C:\WINDOWS\System32\crruns.exe
    C:\WINDOWS\System32\isvcc.exe
    C:\WINDOWS\System32\utoconva.exe

    Reboot and post a new log here.
     
  7. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    Thankyou for all your help... I did all you asked except having HijackThis remove the following since they were no longer available:

    O4 - HKLM\..\Run: [acxgkory] C:\WINDOWS\System32\acxgkory.exe
    O4 - HKLM\..\Run: [crruns] C:\WINDOWS\System32\crruns.exe
    O4 - HKLM\..\Run: [isvcc] C:\WINDOWS\System32\isvcc.exe
    O4 - HKLM\..\Run: [utoconva] C:\WINDOWS\System32\utoconva.exe


    Below if the new log... Thanks again.. Matt

    ----

    Logfile of HijackThis v1.97.7
    Scan saved at 11:44:11 PM, on 7/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\gklgtoir.exe
    C:\WINDOWS\System32\leaut32o.exe
    C:\WINDOWS\System32\asradi.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\WINDOWS\System32\rypt32c.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINDOWS\System32\xsapif.exe
    C:\WINDOWS\System32\Sak0lQS.exe
    C:\WINDOWS\System32\Gnku.exe
    C:\Program Files\America Online 7.0\waol.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [kdxybshhd] C:\WINDOWS\System32\gklgtoir.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Jel3872.exe
    O4 - HKLM\..\Run: [asradi] C:\WINDOWS\System32\asradi.exe
    O4 - HKLM\..\Run: [leaut32o] C:\WINDOWS\System32\leaut32o.exe
    O4 - HKLM\..\Run: [xsapif] C:\WINDOWS\System32\xsapif.exe
    O4 - HKLM\..\Run: [rypt32c] C:\WINDOWS\System32\rypt32c.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Try this:

    First disconnect your computer from the Internet.

    Now do a Ctrl-Alt-Delete in order to bring up Task Manager and, on the Processes tab, end task on the following processes:

    gklgtoir.exe
    leaut32o.exe
    asradi.exe
    rypt32c.exe
    xsapif.exe
    Sak0lQS.exe
    Gnku.exe

    Now copy the text inside the quote box to Notepad, and save in a location of your choice as remove.reg (make sure you save as type: 'all files')

    Doubleclick Remove.reg, and answer yes when prompted to add its contents to the Registry.

    Next, find the following files in your Windows\System32 folder, and delete them:

    gklgtoir.exe
    leaut32o.exe
    asradi.exe
    rypt32c.exe
    xsapif.exe
    Sak0lQS.exe
    Gnku.exe


    NOTE: To avoid the risk of them not being found due to them having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

    Now run Hijack This again, and check and have it fix the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

    O4 - HKLM\..\Run: [kdxybshhd] C:\WINDOWS\System32\gklgtoir.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Jel3872.exe
    O4 - HKLM\..\Run: [asradi] C:\WINDOWS\System32\asradi.exe
    O4 - HKLM\..\Run: [leaut32o] C:\WINDOWS\System32\leaut32o.exe
    O4 - HKLM\..\Run: [xsapif] C:\WINDOWS\System32\xsapif.exe
    O4 - HKLM\..\Run: [rypt32c] C:\WINDOWS\System32\rypt32c.exe


    Restart your computer, run Hijack This again, and show us a fresh log.
     
  9. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    Tony,

    I attempted to end all processes you listed, however Gnku.exe and Sak01QS.exe kept reappearing... I believe Gnku eventually disappeared but XqkInoDW.exe then appeared... Also, the two items weren't listed in the HijackThis so they were not fixed...

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
    O4 - HKLM\..\Run: [xsapif] C:\WINDOWS\System32\xsapif.exe

    Please let me know...

    Matt


    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:32 AM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\WINDOWS\System32\svcr70m.exe
    C:\WINDOWS\System32\XqkInoDW.exe
    C:\WINDOWS\System32\Sak0lQS.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Jel3872.exe
    O4 - HKLM\..\Run: [svcr70m] C:\WINDOWS\System32\svcr70m.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
     
  10. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Start your computer in Safe Mode and run Hijackthis. Check these items and then on Fix:

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Jel3872.exe
    O4 - HKLM\..\Run: [svcr70m] C:\WINDOWS\System32\svcr70m.exe

    Now I want you to make sure you can still view all hidden files and folders:

    Open Folder Options>view and check your settings:
    Select
    Show hidden files and folders
    Display the contents of system folders
    Uncheck: Hide protected operating system files
    Next go to Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
    Be sure the first three boxes are selected:
    Search System folders
    Search Hidden Files and folders
    Search SubFolders

    Find and delete these files/folders:
    C:\WINDOWS\System32\svcr70m.exe
    C:\WINDOWS\System32\XqkInoDW.exe
    C:\WINDOWS\System32\Sak0lQS.exe

    Reboot and post a new log
     
  11. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    Thanks for the help, here's the new log... I was able to do all that was asked...

    ------

    Logfile of HijackThis v1.97.7
    Scan saved at 12:30:42 PM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
     
  12. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Looking better.

    Just a few minor clean ups:

    Run HJT again and check these items:
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll (file missing)

    This one is a resource hog and you can check it if you would like, it only removes the link, not the program.
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Reboot and show a final log for review.
     
  13. arko

    arko Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    8
    Thanks again for all the help... here is the newest log...

    Logfile of HijackThis v1.97.7
    Scan saved at 1:49:48 PM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\System32\TFNF5.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    C:\Program Files\America Online 7.0\waol.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_3_12_0.dll
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O15 - Trusted Zone: *.greg-search.com
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.4.18/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Yahoo! MLB StatTracker - http://aud16.sports.sc5.yahoo.com/java/y/mlbst8408_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebiof5_3_12_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E9D4F7E5-52EA-421D-9A2D-A381802EEE45}: NameServer = 205.188.146.146
     
Thread Status:
Not open for further replies.