please help me, this is the log. thx

Discussion in 'adware, spyware & hijack cleaning' started by cocacola, May 8, 2004.

Thread Status:
Not open for further replies.
  1. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    i used Ad-aware to scan my system and they founds many files.

    I am having problem while opening IE6.0. My start page is www.google.com,but it always comes out with an advert at the bottom and no matter how many times i change the first page, it still opens with the advert as well as a tool bar at the top.

    This is the log. thanks for helping~ :D

    Logfile of HijackThis v1.97.7
    Scan saved at 23:13:01, on 2004-5-8
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\program files\rising\rav\RavTimer.exe
    C:\program files\rising\rav\RavMon.exe
    C:\PROGRA~1\TIMEBA~1\loadloud.exe
    C:\WINDOWS\csrss.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\rising\rav\CCenter.exe
    C:\Program Files\rising\rav\RavMonD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Toniadong\My Documents\MSN File Sharing\highjackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {609BBA67-8C0A-AE32-1F93-907C41CA5439} - C:\PROGRA~1\transmp3\testcash.dll
    O2 - BHO: (no name) - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - (no file)
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: bias 1 - {8363BE32-962A-47E0-6E50-582A254D3C28} - C:\PROGRA~1\transmp3\testcash.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /PHIMETIPSync
    O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
    O4 - HKLM\..\Run: [RavTimer] c:\program files\rising\rav\RavTimer.exe
    O4 - HKLM\..\Run: [RavMon] c:\program files\rising\rav\RavMon.exe
    O4 - HKLM\..\Run: [live rdr] C:\PROGRA~1\TIMEBA~1\loadloud.exe
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i svchost
    O4 - HKLM\..\RunServices: [RavMon] c:\program files\rising\rav\RavMon.exe /AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: ~
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: kele8 (HKLM)
    O9 - Extra 'Tools' menuitem: kele8 (HKLM)
    O9 - Extra button: QQ (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083331009046
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (V2 Control) - http://202.96.140.88/vchat/v27.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://61.153.48.61:1995/talk.cab
    O16 - DPF: {8135EF31-FE8C-4C6E-A18A-F59944C3A488} - http://ddddl.dudu.com/ddd/channel/spockx-channel.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
    O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://www.bliao.com/vchat/blueskyvoice.cab
    O16 - DPF: {C0C13879-6A17-429E-80F1-60B23FC1F720} (FcBoot Class) - http://211.93.80.143/game/system/activex/fcboot.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab
    O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab






    please help me to solve this problem~~ thanks a lot.
     
    Last edited by a moderator: May 8, 2004
  2. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    by the way this is the site that is keeping opening when i start the IE.


    http://netsearchsoft.com/passthrough/index.html?http://www.google.com/


    P.S. coz i had this problem for a few days already but i remember having a lot of bookmark folders that i didnt add..dont know why they appear..and some icons on my destop too..but i deleted them.
     
  3. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi cocacola,

    Have only Hijackthis running and fix :

    O2 - BHO: (no name) - {609BBA67-8C0A-AE32-1F93-907C41CA5439} - C:\PROGRA~1\transmp3\testcash.dll
    O2 - BHO: (no name) - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - (no file)
    O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: bias 1 - {8363BE32-962A-47E0-6E50-582A254D3C28} - C:\PROGRA~1\transmp3\testcash.dll

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [live rdr] C:\PROGRA~1\TIMEBA~1\loadloud.exe
    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i svchost

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O16 - DPF: {2EA6D939-4445-43F1-A12B-8CB3DDA8B855} (V2 Control) - http://202.96.140.88/vchat/v27.cab
    O16 - DPF: {6924091F-CD97-41E1-B1D4-D9079409D413} (IMCv1 Control) - http://61.153.48.61:1995/talk.cab
    O16 - DPF: {8135EF31-FE8C-4C6E-A18A-F59944C3A488} - http://ddddl.dudu.com/ddd/channel/spockx-channel.cab
    O16 - DPF: {C0C13879-6A17-429E-80F1-60B23FC1F720} (FcBoot Class) - http://211.93.80.143/game/system/activex/fcboot.cab

    Restart PC after doing so in Safe Mode : Here's How and remove :

    C:\PROGRAM FILES\TIMEBA.....\ <- folder beginning with these letters
    C:\WINDOWS\csrss.exe <- this file, in that folder
    C:\PROGRAM FILES\transmp3\ <- this folder, if still present

    Clean temp internet files

    Restart again in normal mode

    Hope this helps

    Cheers,
     
  4. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    hello, i followed your instructions already and the toolbar's gone, but the start page is still coming through with an advertisement....

    :eek:
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Could u please post a fresh HijackThis log, so the experts can see if there is anything left to fix.

    Thanks.

    snowbound
     
  6. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    ok~~:)

    the new log

    Logfile of HijackThis v1.97.7
    Scan saved at 3:43:39, on 2004-5-9
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\program files\rising\rav\RavTimer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\rising\rav\CCenter.exe
    C:\Program Files\rising\rav\RavMonD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Toniadong\My Documents\MSN File Sharing\highjackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /PHIMETIPSync
    O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
    O4 - HKLM\..\Run: [RavTimer] c:\program files\rising\rav\RavTimer.exe
    O4 - HKLM\..\Run: [RavMon] c:\program files\rising\rav\RavMon.exe
    O4 - HKLM\..\Run: [live rdr] C:\PROGRA~1\TIMEBA~1\loadloud.exe
    O4 - HKLM\..\RunServices: [RavMon] c:\program files\rising\rav\RavMon.exe /AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: ~
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: kele8 (HKLM)
    O9 - Extra 'Tools' menuitem: kele8 (HKLM)
    O9 - Extra button: QQ (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083331009046
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
    O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://www.bliao.com/vchat/blueskyvoice.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab
    O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab



    thanks for helping:)
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I'm not an expert but it seems u missed this line,

    O4 - HKLM\..\Run: [live rdr] C:\PROGRA~1\TIMEBA~1\loadloud.exe

    in the above fixes posted by Unzy.

    Maybe u should try to fix this one again.

    Did u find and remove all the files and folders he posted?


    snowbound
     
  8. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    thanks snowbound, i fixed it already~~~:)
    and thanks for helping me, the problem's been solved~~

    this is the new log~~no more adverts..yeah~ :D



    Logfile of HijackThis v1.97.7
    Scan saved at 4:08:08, on 2004-5-9
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\rising\rav\CCenter.exe
    C:\Program Files\rising\rav\RavMonD.exe
    C:\WINDOWS\System32\svchost.exe
    C:\program files\rising\rav\RavTimer.exe
    C:\Documents and Settings\Toniadong\My Documents\MSN File Sharing\highjackthis\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: o_O?? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC60\Phonetic\TINTLCFG.EXE /PHIMETIPSync
    O4 - HKLM\..\Run: [IMSCMIG40W] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40W\IMSCMIG.EXE /SetPreload /Log
    O4 - HKLM\..\Run: [RavTimer] c:\program files\rising\rav\RavTimer.exe
    O4 - HKLM\..\Run: [RavMon] c:\program files\rising\rav\RavMon.exe
    O4 - HKLM\..\RunServices: [RavMon] c:\program files\rising\rav\RavMon.exe /AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Startup: ~
    O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: kele8 (HKLM)
    O9 - Extra 'Tools' menuitem: kele8 (HKLM)
    O9 - Extra button: QQ (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083331009046
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.bang-olufsen.com/InstallObjs/isetup.cab
    O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://www.bliao.com/vchat/blueskyvoice.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E3489C0D-D07D-4281-A4A7-ADA8E9A0893F} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/cn/filesharingctrl.cab
    O16 - DPF: {E862C832-3A5F-4CEB-BFAA-167B22010A71} (InfosFinder2.InfosFinder) - http://support.packardbell.com/files/activex/InfosFinder2.CAB
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


    thank you so so so much for helping~~~~~~~
     
  9. cocacola

    cocacola Registered Member

    Joined:
    May 8, 2004
    Posts:
    13
    Location:
    UK
    btw may i ask..
    is csrss.exe a virus ?
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  11. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi all,

    csrss is indeed a legit file .... when in the proper folder/location!

    In this case, when you see a startupentry like :

    O4 - HKLM\..\Run: [Runner] C:\WINDOWS\csrss.exe /i svchost

    You can bet it's up to no good. I wont classify it as a virus per definition, more like a trojan.

    a classic example of legit files being used, but in the wrong folder is svchost.exe

    legit :

    c:\windows\system32\svchost.exe

    fake :

    c:\windows\svchost.exe

    as for csrss.exe :

    legit :

    c:\windows\system32\csrss.exe (does not run from startup in a HT log anyway)

    fake :

    C:\WINDOWS\csrss.exe <- in this case on a XP machine that is!

    Cheers,
     
Thread Status:
Not open for further replies.