porbably NEW trojan downloader !!!

Discussion in 'adware, spyware & hijack cleaning' started by sofascan, Mar 25, 2004.

Thread Status:
Not open for further replies.
  1. sofascan

    sofascan Guest

    My PC pop-up advertising windows when i for first time open IE or Opera and after that working well. It also sometimes install toolbar in IE.
    I scaned system with f-secure2004(OWN), Bitdefender, NOD32 ,Norton, Panda, RAV antiviruses and with SpySweeper(OWN), Ad-aware, Spybot S&D fully updated all and it could not solve my problem.

    Also i cleaned all temporary files with WindowsTraceRemover, and several others and also did it manually.

    This is HijackThis LOG file please let me know which should i delete or send to analyse.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:33:08 PM, on 3/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    F:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    F:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    F:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\Explorer.EXE
    F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
    F:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Opera7\opera.exe
    F:\Program Files\ZipCentral\ZCentral.exe
    F:\DOCUME~1\user\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - F:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - F:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - F:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {E433BC79-1E08-44AD-9D92-52F738EE655E} - F:\WINDOWS\System32\auatodisc.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - F:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [SideWinderTrayV4] F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [BDMCon] F:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] F:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
    O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.7592013889
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    THANKS
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sofascan,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://F:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - F:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - F:\WINDOWS\System32\btiein.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - F:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {E433BC79-1E08-44AD-9D92-52F738EE655E} - F:\WINDOWS\System32\auatodisc.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - F:\PROGRA~1\Toolbar\toolbar.dll

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    Then reboot in Safe Mode and delete the following:

    F:\PROGRA~1\Toolbar\ <-- entire folder
    F:\WINDOWS\System32\btiein.dll
    F:\WINDOWS\System32\auatodisc.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. sofascan

    sofascan Guest

    OK i did all and this is latest LOG

    Logfile of HijackThis v1.97.7
    Scan saved at 1:07:58 AM, on 3/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    F:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    F:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    F:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\Explorer.EXE
    F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
    F:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Opera7\opera.exe
    F:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [SideWinderTrayV4] F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [BDMCon] F:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] F:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
    O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.7592013889
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    It did problem again, when windows is turned on and if i open IE or Opera browzer it pop-up several windows. If i close all and open again IE or Opera all working well so just first time is problem.

    It opened these pages today

    http://popularscreensavers.com/?partner=ZRxdm185

    and

    http://nami.videoprofessor.com/mcafeep.php?campaignID=100124&fc=100157

    Tell me next steps i should do.

    THANKS
     
  4. sofascan

    sofascan Guest

    THis is with all closed windows:


    Logfile of HijackThis v1.97.7
    Scan saved at 1:12:52 AM, on 3/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    F:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    F:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    F:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\Explorer.EXE
    F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
    F:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
    F:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [SideWinderTrayV4] F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKLM\..\Run: [BDMCon] F:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
    O4 - HKLM\..\Run: [BDNewsAgent] F:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
    O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.7592013889
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sofascan,

    Just one more entry....

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  6. sofascan

    sofascan Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 4:11:22 PM, on 3/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\System32\Ati2evxx.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\WINDOWS\system32\spoolsv.exe
    F:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
    F:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
    F:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
    F:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    F:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
    F:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
    F:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
    F:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
    F:\WINDOWS\system32\rundll32.exe
    F:\WINDOWS\system32\Ati2evxx.exe
    F:\WINDOWS\Explorer.EXE
    F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
    F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    F:\Program Files\F-Secure Internet Security\backweb\4476822\Program\BackWeb-4476822.exe
    F:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [SideWinderTrayV4] F:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "F:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "F:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL
    O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38030.7592013889


    It still POP-UP windows sometimes. I sent over 60 .exe files from system32 folder to analyse and im waiting for reply from f-secure


    If you see any other that i should delete let me know


    tx o_O
     
  7. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sofascan,

    Your log is clean now, good work!!!

    Some baddies have found ways not to show up in HJT....

    Post back exactly what kind of pop-ups you are having and any other info that may help...

    Regards,
    Kent
     
  8. sofascan

    sofascan Guest

    I saw same pop-ups when PalTalk is active.
     
Thread Status:
Not open for further replies.