Hijacked again

Discussion in 'adware, spyware & hijack cleaning' started by eterry, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    I seem to have contracted allaboutsearching again. Here is the log:

    Thanks,

    Ed

    Logfile of HijackThis v1.97.7
    Scan saved at 11:28:41 AM, on 6/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\ezula\mmod.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\DOCUME~1\Edward\LOCALS~1\Temp\sta17D.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {C3F89B9C-22F2-E708-CA0C-33EB704644BC} - C:\PROGRA~1\SLOW64~1\Software Option.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: TransThatDrv - {ACE6C62C-1417-1815-2C09-D347A2D61C96} - C:\PROGRA~1\SLOW64~1\Software Option.dll
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [boneexit] C:\PROGRA~1\BLUEDA~1\grey rect.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Disable system restore - see how to here

    Run HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking "Fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/in...www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search200.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search200.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {C3F89B9C-22F2-E708-CA0C-33EB704644BC} - C:\PROGRA~1\SLOW64~1\Software Option.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: TransThatDrv - {ACE6C62C-1417-1815-2C09-D347A2D61C96} - C:\PROGRA~1\SLOW64~1\Software Option.dll
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [boneexit] C:\PROGRA~1\BLUEDA~1\grey rect.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

    Be sure you are configured to SHOW ALL FILES AND FOLDERS, including System and Hidden Files. If you don't know how to do that, follow this link and follow the step-by-step directions for your Windows version.

    Reboot in Safe Mode . Find and delete:

    C:\PROGRA~1\Toolbar
    C:\PROGRA~1\SLOW64~1
    C:\Program Files\Common files\WinTools <<-- the folder
    C:\PROGRA~1\BLUEDA~1\ <<-- folder
    C:\PROGRA~1\ezula\ <<-- folder

    Reboot in Normal mode and post a fresh log here.
     
  3. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    FBJ,
    Thanks for the response. I printed and followed the instructions. But, haven't solved the problem yet. Here is the latest log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:01:47 PM, on 6/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Please reboot into Safe Mode and run HijackThis again. Fix the following lines:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search200.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/in...p://about:blank
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    These two lines are using ressources, slowing down your startup without doing anything usefull. I suggest you fix them as well. They will not be deleted, just removed from your startup:

    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

    Find and delete:

    C:\Program Files\Common files\WinTools <<-- folder

    Reboot into Normal mode, run HijackThis, scan and post a fresh log.
     
  5. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    Thanks, FBJ. It seems that most of it is cleared up. But, I still get something called spotresults that overlays my home page. Here is the log:

    Ed


    Logfile of HijackThis v1.97.7
    Scan saved at 8:45:27 AM, on 6/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  7. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    Thanks Pieter,

    Here is the log:


    Files Found---
    C:\WINDOWS\System32\AnCODC32.DLL
    C:\WINDOWS\System32\ArDENC32.DLL
    C:\WINDOWS\System32\AvDCXC32.DLL
    C:\WINDOWS\System32\CaNTAB32.DLL
    C:\WINDOWS\System32\CtNTAB32.DLL
    C:\WINDOWS\System32\CuNTAB32.DLL
    C:\WINDOWS\System32\DaCVW_32.DLL
    C:\WINDOWS\System32\DbCVW_32.DLL
    C:\WINDOWS\System32\Df630_32.DLL
    C:\WINDOWS\System32\Dm630_32.DLL
    C:\WINDOWS\System32\Dp630_32.DLL
    C:\WINDOWS\System32\Dq630_32.DLL
    C:\WINDOWS\System32\Dt630_32.DLL
    C:\WINDOWS\System32\GbSIS630.DLL
    C:\WINDOWS\System32\GcSIS630.DLL
    C:\WINDOWS\System32\GhSIS630.DLL
    C:\WINDOWS\System32\GsSIS630.DLL
    C:\WINDOWS\System32\GtSIS630.DLL
    C:\WINDOWS\System32\GvSIS630.DLL
    C:\WINDOWS\System32\GwSIS630.DLL
    C:\WINDOWS\System32\GySIS630.DLL
    C:\WINDOWS\System32\IbMFILTER.DLL
    C:\WINDOWS\System32\IfMFILTER.DLL
    C:\WINDOWS\System32\IhMFILTER.DLL
    C:\WINDOWS\System32\IiMFILTER.DLL
    C:\WINDOWS\System32\IlMFILTER.DLL
    C:\WINDOWS\System32\ImMFILTER.DLL
    C:\WINDOWS\System32\InMFILTER.DLL
    C:\WINDOWS\System32\IpMFILTER.DLL
    C:\WINDOWS\System32\IqMFILTER.DLL
    C:\WINDOWS\System32\IxMFILTER.DLL
    C:\WINDOWS\System32\IzMFILTER.DLL
    C:\WINDOWS\System32\kedest.dll
    C:\WINDOWS\System32\kfdfo.dll
    C:\WINDOWS\System32\khdest.dll
    C:\WINDOWS\System32\kjdfo.dll
    C:\WINDOWS\System32\krdfi.dll
    C:\WINDOWS\System32\ktdfo.dll
    C:\WINDOWS\System32\kwdfo.dll
    C:\WINDOWS\System32\kydfo.dll
    C:\WINDOWS\System32\kzdfo.dll
    C:\WINDOWS\System32\mdtask.dll
    C:\WINDOWS\System32\MgCUIA32.DLL
    C:\WINDOWS\System32\MjFMIG32.DLL
    C:\WINDOWS\System32\MwCUIA32.DLL
    C:\WINDOWS\System32\MyCUIA32.DLL
    C:\WINDOWS\System32\pedx5032.dll
    C:\WINDOWS\System32\pgdx5032.dll
    C:\WINDOWS\System32\PmCSTORE.DLL
    C:\WINDOWS\System32\prdx5032.dll
    C:\WINDOWS\System32\pvdx5032.dll
    C:\WINDOWS\System32\pwdx5032.dll
    C:\WINDOWS\System32\rgoc3260.dll
    C:\WINDOWS\System32\rioc3260.dll
    C:\WINDOWS\System32\rnoc3260.dll
    C:\WINDOWS\System32\rroc3260.dll
    C:\WINDOWS\System32\rtoc3260.dll
    C:\WINDOWS\System32\rvoc3260.dll
    C:\WINDOWS\System32\rxoc3260.dll


    Guardian Key--- is called: GuardianWCCSL
    Asynchronous 000
    DllName C:\WINDOWS\system32\CaNTAB32.DLL
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {127DE45D-8561-44EE-A21F-D30B4E4A24CD}
    IDex DS3

    User Agent String---
    {127DE45D-8561-44EE-A21F-D30B4E4A24CD}
     
  8. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    Run VX2Finder.exe again, hit "Click to Find VX2.BetterInternet" - hit "Delete these files". The program vil delete all files except one - the last one will be deleted on reboot. Let the program reboot your computer. After reboot, run VX2Finder again, hit the following buttons:

    "Guardian.reg"
    "User Agent"
    "Restore Policy"

    Download, update and run Adaware - see instructions here:

    https://www.wilderssecurity.com/showthread.php?t=15913

    Run VX2Finder again, hit "Click to Find VX2.BetterInternet" - hit "Make log" and post the log together with a fresh HijackThis log once your done with the above.
     
    Last edited: Jun 9, 2004
  9. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    Thanks FBJ. Here are the two logs:

    VX2Finder Log:

    Files Found---
    C:\WINDOWS\System32\CaNTAB32.DLL
    C:\WINDOWS\System32\GrSIS630.DLL


    Guardian Key--- is called: GuardianZPELU
    Asynchronous 000
    DllName C:\WINDOWS\system32\CaNTAB32.DLL
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {127DE45D-8561-44EE-A21F-D30B4E4A24CD}
    IDex DS3

    User Agent String---
    {127DE45D-8561-44EE-A21F-D30B4E4A24CD}
    ______________________________________________________________

    Logfile of HijackThis v1.97.7
    Scan saved at 11:09:06 AM, on 6/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/s
     
  10. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    It didn't quite do the job. I will have to have to ask you to repeat the steps from before and make sure that you are off the net (unplug your internet connection) until all files are deleted:

    Run VX2Finder.exe again, hit "Click to Find VX2.BetterInternet" - hit "Delete these files". The program vil delete all files except one - the last one will be deleted on reboot. Let the program reboot your computer. After reboot, run VX2Finder again, hit the following buttons:

    "Guardian.reg"
    "User Agent"
    "Restore Policy"

    Download, update and run Adaware - see instructions here:

    https://www.wilderssecurity.com/showthread.php?t=15913

    Run VX2Finder again, hit "Click to Find VX2.BetterInternet" - hit "Make log" and post the log together with a fresh HijackThis log once your done with the above.
     
  11. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    Ok, I disconnected and followed the instructions. Here are the two logs:

    Log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINDOWS\System32\CaNTAB32.DLL
    C:\WINDOWS\System32\rjoc3260.dll


    Guardian Key--- is called: GuardianCFNYJ
    Asynchronous 000
    DllName C:\WINDOWS\system32\CaNTAB32.DLL
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {127DE45D-8561-44EE-A21F-D30B4E4A24CD}
    IDex DS3

    User Agent String---
    {127DE45D-8561-44EE-A21F-D30B4E4A24CD}

    ________________________________________________________

    Logfile of HijackThis v1.97.7
    Scan saved at 4:07:09 PM, on 6/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    I've noticed a problem similar to yours here:

    https://www.wilderssecurity.com/showthread.php?t=35411

    The poster in that thread says:

    "Something very stupid. I was forgetting to checkmark the boxes before clicking to Delete the files.." --- you wouldn't be doing the same mistake? (no offense..).

    No - probably not ;) In that case I'll have to refer you to Pieter_Arntz' advice:

    Try this please. Keep using the click to find and delete buttons untill nothing is found.

    Then continue with the rest.

    If that doesn't cut it I will have to ask you to register here: http://forums.broadbandmedic.com/cg...3/ikonboard.cgi and point them to this thread.

    The genius that wrote this program is active there and will probably need some more information.
     
  13. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    "Something very stupid. I was forgetting to checkmark the boxes before clicking to Delete the files.." --- you wouldn't be doing the same mistake? (no offense..).


    None taken, FBJ. No problem. What program are you referring to about forgetting to checkmark the boxes before clicking to delete. I was sure I was doing everything as directed. But, I'll reread your instructions and go back and do it again.

    Regards,
    Ed
     
  14. FBJ

    FBJ Spyware Fighter

    Joined:
    Jan 28, 2004
    Posts:
    49
    This I borrowed from the master himself :) It could be that I have been pointing you towards an older version of the program. Please do the following:

    Download this version of VX2Finder (to make sure you are not using something older)
    when doing these fixes, make sure you are the only user logged into the machine. Follow the procedure you have tried for some time now (click Find - delete etc).

    Put checks beside each of the files found and click "Delete these Files"

    at the last one you will need to reboot.
    After reboot. run the VX2Finder again, and post that log.
    It should show "no" files found cept for the registry info.

    Click "UserAgent$", "Guardian.reg", & "Restore Policy" if that is the case to clean those reg items out.

    Looking forward to your response :)
     
  15. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    FBJ.....just call me dorkus maximus. I was, in fact, not checking the delete boxes before hitting the delete files button.

    Here are the new logs:

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---
    _____________________________________________

    Logfile of HijackThis v1.97.7
    Scan saved at 9:16:00 AM, on 6/10/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVPersonal\AVGUARD.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVPersonal\AVGNT.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\America Online 9.0a\aoltray.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Global Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: CorelCENTRAL 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\ccwin9.exe
    O4 - Global Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
    O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
    O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37748.5075925926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thanks,

    Ed
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  17. eterry

    eterry Registered Member

    Joined:
    May 13, 2004
    Posts:
    11
    FBJ and Pieter:

    Thank you for all your help. It is much appreciated.

    Regards,

    Ed
     
Thread Status:
Not open for further replies.