Remove Trojan

Discussion in 'malware problems & news' started by Mitta, Mar 25, 2004.

Thread Status:
Not open for further replies.
  1. Mitta

    Mitta Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    3
    Hi! I need help to remove Win32:Trojan-gen.(VC). I already know it´s in C:\windows\system\winstart001.exe and I have done a scan. :oops:

    Thanks in advance, Brittmari
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Mitta,

    Welcome at Wilders. :)

    Could you follow the instructions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  3. Mitta

    Mitta Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    3
    Logfile of HijackThis v1.97.7

    Tried again, doing what you told me to.It seems that nothing works anymore. Have started from the beginning with Ad-aware, have done the hijackthis.exe and when I should send it to you they said I can´t put in a log-file so now I have saved it as a text-file to see if it´s getting any better.

    Thanks in advance, Brittmari o_O
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re:Logfile of HijackThis v1.97.7

    Hi Mitta,

    Just copy & Paste the content of the logfile into your next post.
    (Use the Reply button)

    Regards,

    Pieter
     
  5. Logfile of HijackThis v1.97.7
    Scan saved at 15:43:42, on 2004-03-25
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\id2scaps.exe
    C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
    C:\Program\ALWILS~1\Avast4\ashDisp.exe
    C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    D:\Program\ICQPlus\vplus.exe
    C:\Program\ICQ\ICQ.exe
    C:\Program\iD2\CSP\iD2CertMover.exe
    C:\Program\Microsoft Office\Office\FINDFAST.EXE
    C:\Program\Microsoft Office\Office\OSA.EXE
    D:\PROGRAM\INCRED~1\bin\ImApp.exe
    D:\Mina dokument\Exe-filer\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webgate.nu/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [PopUpKiller] D:\Program\PopUp Killer\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b
    O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ICQ Plus] "D:\Program\ICQPlus\vplus.exe"
    O4 - HKCU\..\Run: [IncrediMail] D:\PROGRAM\INCRED~1\bin\IncMail.exe /c
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe
    O4 - Global Startup: Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRAM\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37932.4067361111
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/polarbowler/install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Brittmari Lindberg,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch

    O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\System\BHO001.DLL (file missing)

    O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.EXE -b

    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/polarbowler/install.cab

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\System\WinStart001.EXE

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  7. Mitta

    Mitta Registered Member

    Joined:
    Mar 25, 2004
    Posts:
    3
    Thank you very much!!!! There wasn´t any file left to delete when I did the reboot in safe mode but I think it went well though it isn´t in the new Logfile of HijackThis v1.97.7 anymore. So very much thanks to you again :-*
    Bless you, Brittmari

    Scan saved at 22:13:46, on 2004-03-25
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\id2scaps.exe
    C:\Program\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
    C:\Program\ALWILS~1\Avast4\ashDisp.exe
    C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    D:\Program\ICQPlus\vplus.exe
    C:\Program\iD2\CSP\iD2CertMover.exe
    C:\Program\Microsoft Office\Office\FINDFAST.EXE
    C:\Program\Microsoft Office\Office\OSA.EXE
    C:\Program\ICQ\ICQ.exe
    D:\PROGRAM\INCRED~1\bin\ImApp.exe
    D:\Mina dokument\Exe-filer\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webgate.nu/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\System32\pmxinit.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program\Delade filer\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [mmtask] C:\Program\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [PopUpKiller] D:\Program\PopUp Killer\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program\ICQ\NDetect.exe
    O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ICQ Plus] "D:\Program\ICQPlus\vplus.exe"
    O4 - HKCU\..\Run: [IncrediMail] D:\PROGRAM\INCRED~1\bin\IncMail.exe /c
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: iD2 CSP Certificate Utility.lnk = C:\Program\iD2\CSP\iD2CertMover.exe
    O4 - Global Startup: Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRAM\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .sgn: C:\Program\Internet Explorer\PLUGINS\npSign.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1408.g.akamai.net/7/1408/9955/20031016/akamai.info.apple.com/iTunes4/WW/win/061-0848.20031022.TtzS4/iTunesSetup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37932.4067361111
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Mitta,

    Good work!!!

    Your HJT log is clean....

    Regards,
    Kent
     
  9. SuaSponte

    SuaSponte Registered Member

    Joined:
    Jan 6, 2004
    Posts:
    16
    Location:
    USA - Dallas, Texas
    OK.. I'm an Idiot.. I updated the AdAware and ran it again. It found 186 items that it deleted.

    This is my newest HiJack This Log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:02:51 PM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
    C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
    C:\WINDOWS\System32\BacsTray.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Tracy Dexter\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [COMMUNICATE! PRO 5.0 IBM] C:\Program Files\COMMUNICATE! PRO 5\bin\setupibm.exe
    O4 - HKLM\..\Run: [TDS3] C:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [bacstray] BacsTray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKCU\..\Run: [MoneyAgent] ""C:\Program Files\Microsoft Money\System\Money Express.exe""
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\TRACYD~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: Pop-Up Stopper.lnk = C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {53C9E2FF-02A0-4C18-87AE-2218390DDE99} - http://www.qchex.com/cm/2004/QchexCheckMessenger.cab
    O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direcway.com/dwayready/dpcsysinfo.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please submit that EXE - as you should do with any .GEN detections. submit@diamondcs.com.au

    This really goes for droppers and downloaders too, since while the dropper or downloader may be detected, what it DROPS or downloads may NOT be detected. So I appreciate these submissions too :) So should any AV / AT
     
Loading...
Thread Status:
Not open for further replies.