nasty sex and hotxxx dialer problem

Discussion in 'adware, spyware & hijack cleaning' started by dave-pool, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. dave-pool

    dave-pool Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    3
    Once again the bloody nasty sex - hotxxx dialer (both of them) bugging me and I cn't get rid of them- can you help!!!!

    I have used adware and spybot on my system. The dialer box constantly returns sometimes after only checking 2 or 3 web pages on the net.



    Logfile of HijackThis v1.97.7
    Scan saved at 11:05:00 PM, on 7/17/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS.000\EXPLORER.EXE
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
    C:\WINDOWS.000\TASKMON.EXE
    C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS.000\SYSTEM\CTHELPER.EXE
    C:\WINDOWS.000\SYSTEM\DESK98.EXE
    C:\WINDOWS.000\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS.000\SYSTEM\HPOOPM07.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\WINDOWS.000\MSOCFG.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
    C:\WINDOWS.000\DESKTOP\VIRUS PROGRAMMES\HIJAK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS.000\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS.000\browse.exe /i
    O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS.000\msocfg.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - User Startup: PowerReg Scheduler.exe
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37569.1090625
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    You have some malware.

    First, would you please send a copy of the C:\WINDOWS.000\MSOCFG.EXE file to submit_stuffATxs4all.nl for analysis? (replace 'AT' by @)

    We're pretty sure it's your dialer, but we would still like to have a closer look at it. We'd also want to submit copies to developers in the security field if it turns out to be a brand new baddie.

    Much appreciated :)

    The file could possibly have the "Hidden" attribute. Here's how to show hidden and operating system files


    After sending us that file, check, and have Hijack This fix the following items:

    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS.000\browse.exe /i
    O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS.000\msocfg.exe /i

    Reboot, and delete:

    C:\WINDOWS.000\msocfg.exe
    C:\WINDOWS.000\browse.exe (if still there)

    Cheers,
     
  3. dave-pool

    dave-pool Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    3
    Could not find the file that you would like to see C:\WINDOWS.000\MSOCFG.EXE. It seems to have disappeared as you can see from the most recent hijack this log which I did after the dialer appeared. Will act on your advice and delete the folders recommended though.


    Logfile of HijackThis v1.97.7
    Scan saved at 6:27:31 PM, on 7/18/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS.000\EXPLORER.EXE
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
    C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
    C:\WINDOWS.000\TASKMON.EXE
    C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS.000\SYSTEM\CTHELPER.EXE
    C:\WINDOWS.000\SYSTEM\DESK98.EXE
    C:\WINDOWS.000\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS.000\SYSTEM\HPOOPM07.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\WINDOWS.000\SVCHOSTS.EXE
    C:\WINDOWS.000\SHMAN.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\WINDOWS.000\DESKTOP\VIRUS PROGRAMMES\HIJAK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS.000\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McUpdate.exe
    O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [Messanger] C:\WINDOWS.000\browse.exe /i
    O4 - HKLM\..\Run: [OfficeAgent] C:\WINDOWS.000\svchosts.exe /i
    O4 - HKLM\..\Run: [MSOfficeCfg] C:\WINDOWS.000\shman.exe /i
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - User Startup: PowerReg Scheduler.exe
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37569.1090625
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
     
  4. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yes, the file has mutated... it's now called shman.exe; a copy of that one would be fine as well...

    Just use Hijack This to fix the items I mentioned, reboot, and post a fresh log.
     
  5. dave-pool

    dave-pool Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    3
    Hi!
    It hasn't come back yet and I am crossing my fingers. I have sent you a copy of that file you asked by e-mail. Here is the log file after making the changes with hijack-this.

    Thanks for your help.

    Dave

    Logfile of HijackThis v1.97.7
    Scan saved at 7:39:07 PM, on 7/18/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
    C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS.000\SYSTEM\MPREXE.EXE
    C:\WINDOWS.000\SYSTEM\mmtask.tsk
    C:\WINDOWS.000\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
    C:\WINDOWS.000\EXPLORER.EXE
    C:\WINDOWS.000\SYSTEM\DDHELP.EXE
    C:\WINDOWS.000\SYSTEM\RNAAPP.EXE
    C:\WINDOWS.000\SYSTEM\TAPISRV.EXE
    C:\WINDOWS.000\TASKMON.EXE
    C:\WINDOWS.000\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS.000\SYSTEM\CTHELPER.EXE
    C:\WINDOWS.000\SYSTEM\DESK98.EXE
    C:\WINDOWS.000\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS.000\SYSTEM\HPOOPM07.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
    C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
    C:\WINDOWS.000\RUNDLL32.EXE
    C:\PROGRAM FILES\MCAFEE.COM\VSO\MCMNHDLR.EXE
    C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
    C:\WINDOWS.000\DESKTOP\VIRUS PROGRAMMES\HIJAK THIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS.000\SYSTEM\MSDXM.OCX
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS.000\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS.000\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [CTStartup] C:\PROGRAM FILES\CREATIVE\SPLASH SCREEN\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS.000\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - User Startup: PowerReg Scheduler.exe
    O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
    O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
    O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37569.1090625
    O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    It's a clean log; no more malicious processes seen to be running; you should be good to go now! :)

    That said, if you still find one or both of the following files on your system, I'd welcome a sample as well (and you can of course delete them afterwards as well!):

    C:\WINDOWS.000\browse.exe
    C:\WINDOWS.000\svchosts.exe

    Cheers,
     
Thread Status:
Not open for further replies.