[solved] newbie..help and dropper.small.AK (merged)

Discussion in 'adware, spyware & hijack cleaning' started by phatkid, Jun 12, 2004.

Thread Status:
Not open for further replies.
  1. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    cool site

    could use some input on deleting

    dropper.small.AK

    C:systemvolumeinformation\_restore{C1667488-2B62-44A5-B03A-2D5F7A0139F}RP460\A0032010.exe

    i searched for this in files/folders to delete but came up with nothing.....

    Also do i scan for viruses and such with the system restore off?

    thanks to sites like this i have search and destroyed, ada-ware, house call then AVGn also FINALLY figured out out to disable system restore and reboot then scan..etc.
    my ventures didn't turn up the above virus, but did locate a different one to delete..

    also found this software tool, can you make sense of it for me......

    thank you all so much
    Logfile of HijackThis v1.97.7
    Scan saved at 9:52:36 PM, on 11/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\javaw.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\console.exe
    C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*h...earch?p=%s
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: LimeWire 4.0.5.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet-5.8.3.20/s...assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo.com - http://slots02.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: Dominoes by pogo - http://domino02.pogo.com/applet/domino/...assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet/euchre/euchre-ob-assets.cab
    O16 - DPF: Hammerhead Pool by pogo - http://pool17.pogo.com/applet/pool/pool-ob-assets.cab
    O16 - DPF: Hammerhead Pool by pogo.com - http://pool26.pogo.com/applet/pool/pool-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://drawpoker.pogo.com/applet/drawpo...assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.3.20/p...assets.cab
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared...Engine.cab
    O16 - DPF: Keno by pogo.com - http://keno.pogo.com/applet/keno/keno-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.8.3.20...assets.cab
    O16 - DPF: Sci-Fi Slots by pogo.com - http://scifi.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: The Sims Pinball by pogo.com - http://simball01.pogo.com/applet/simbal...assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo.com - http://turbo14.pogo.com/applet/turbo21/...assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/...assets.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/...rix6ie.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/...mv9VCM.CAB
    O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\MDG Customer\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004...scan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me...Client.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luc...lashAX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B24EBF81-64F8-42B0-8C33-E66C2A6FB865}: Domain = sympatico.ca
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B24EBF81-64F8-42B0-8C33-E66C2A6FB865}: NameServer = 192.168.2.1



    thanks all


    thanks
     
  2. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    dropper.small.AK :(

    could use some input on deleting

    dropper.small.AK

    C:systemvolumeinformation\_restore{C1667488-2B62-44A5-B03A-2D5F7A0139F}RP460\A0032010.exe

    i searched for this in files/folders to delete but came up with nothing.....

    Also do i scan for viruses and such with the system restore off?


    no matter what program i use....cannot locate and deleteo_O

    suggestions any one??

    p.s

    this site facinates me the knowledge you people have

    thanks for helping us meer mortals

    mal
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    I have merged you two threads together (although the 2nd one is just about a duplicate). Please do not start a new thread for the same problem.

    You have also posted all 4 threads now in the DiamondCS TDS Forum. Are you using TDS-3?

    Your latest thread is regarding the removal of your McAfee antivirus. That one I will move to the appropriate forum.

    Regards,

    snap
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: newbie..help and dropper.small.AK (merged)

    Snapdragin, are you familiar with this HJT log enough or do we need to call more helping troups? I'm no expert in this field. I'm better with explaining how TDS works!
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    I have moved your thread from the TDS forum over into this one.

    The file being flagged as dropper.small.AK is backed up in your System Restore, but don't worry about that yet as that can be easily taken care of later by turning System Restore off and doing a reboot.

    Let's first get your system clean, then you can try uninstalling McAfee later and see if it uninstalls properly.

    Before you begin, please create a permanent folder and move HijackThis.exe out of the temp folder and into the new folder. HijackThis creates backups in the folder it is ran from, and in a temp folder those backups will soon be lost.

    If you did not knowingly install MyWebSearch (MyBar), then uninstall it through the Add/Remove Programs in the Control Panel.

    Next, with only Hijackthis open, place a check beside the following items.
    Make sure you have ALL browsers/windows closed, and click *Fix checked:

    (If you did not set this as your Search page, then include it to be fixed)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*h...earch?p=%s

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\4.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe

    O4 - Startup: PowerReg Scheduler.exe

    O4 - Global Startup: LimeWire 4.0.5.lnk = C:\Program Files\LimeWire\LimeWire 4.0.5\LimeWire.exe

    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/...rix6ie.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwe....0.0.5.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://luckynugget.microgaming.com/luc...lashAX.cab

    (these one's listed in blue are optional to fix, but they do not have to startup with your computer and can be manually started through Start-->Programs)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    Uninstall the P2P Networking through the Add/Remove Programs in the Control Panel, and I would also recommend uninstall Kazaa too.

    Make sure you have all files and folders viewable:
    How to Show Hidden Files and Folders

    Reboot your computer, preferably into Safe Mode by tapping the F8 key just before windows begins to load.

    Then find and delete the following folders listed in bold:
    C:\Program Files\MyWebSearch <--if you've chosen to uninstall it.
    C:\Program Files\LimeWire
    C:\WINDOWS\System32\P2P Networking

    ****
    Do you know what this is for? If not, could you navigate to the console.exe file and right-click it (do not left-click it) and look under it's properties and tell me what it says about the file.
    O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe

    ****

    Then reboot your computer normally, and follow up with another scan with Ad-Aware. Make sure you have Ad-Aware up to date before scanning.

    Post a new log here in this thread when done.

    Regards,

    snap
     
  6. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    thanks for the reply!!! have been looking for it but it was moved :)

    i am at work so i will have to do all of this when i get off work and try and decipher all of yoiur suggestions......i did forget to mention i tried to uninstall kaaza without luck ( i started using limewire,,,,, which you say to delete, should i still?)


    "Do you know what this is for? If not, could you navigate to the console.exe file and right-click it (do not left-click it) and look under it's properties and tell me what it says about the file.
    O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe"

    1..what are you asking me....do i know what what is?? (sorry)

    2..since i am not at home, in case i don't know.. how do i make a permanent folder for hijkthis

    3. console.exeo_O? and right click what?....sorry again

    4. when i delete and uninstall things, should i empty recycle bin B4 i scan/or run hijack?

    5. is safe mode easy to get out of?

    thanks for everything
     
    Last edited: Jun 12, 2004
  7. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    FYI there is a couple of things that can't/won't delete (christmas screensavers,kaaza )......we'll worry about these later??
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe"

    1..what are you asking me....do i know what what is?? (sorry)

    Yes, I was asking if you recognized it at all since I am not finding any information on it.

    2..since i am not at home, in case i don't know.. how do i make a permanent folder for hijkthis

    Open Explorer by clicking on the Start button -->All Programs -->Accessories -->Windows Explorer.
    Once Windows Explorer is open, then create a new folder (call it whatever you would like) somewhere on your C drive by going to File -->New -->Folder and give it a name. Then move Hijackthis.exe into that new folder so it will be in a permanent folder of it's own.

    3. console.exe? and right click what?....sorry again

    First locate the file called console.exe in the Windows System32 folder.
    Then right-click on it, and choose Properties. Then under the tabs, see what it says the file is for, who made it, etc. Any information there under those tabs that might help identify what it is. Then post that information back here so I can see what it is and why it is running at startup.

    If there is no information under it's tabs that would help identify it, could you upload it for a scan at Kaspersky, then post the scan results back here in a reply post.

    4. when i delete and uninstall things, should i empty recycle bin B4 i scan/or run hijack?

    You can wait until later to do that.

    5. is safe mode easy to get out of?

    Yes. You just reboot normally. The instructions are there in the link I provided if you need more detail.

    FYI there is a couple of things that can't/won't delete (christmas screensavers,kaaza )......we'll worry about these later??

    I don't know what program put the screensavers there, or if they came with an uninstaller, so I cannot help you too much with that.
    Kaaza should be able to be uninstalled. I don't use it myself but I beleive it comes with an uninstall, or you can uninstall it through Add/Remove Programs.
    There is a removal utility called Kazabegone, that you can try. But please read the warning and download the LSPfix file before using Kazabegone, just in case you run into any trouble, you'll have the LSPfix tool to get your internet connection back. Here is the link for Kazabegone (just scroll down to the very bottom of that page) http://www.spywareinfoforum.com/~merijn/downloads.html

    Regards,

    snap
     
  9. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    will do thanks ALOT! .........again......

    i'm up for an adventure i am sure.......
     
  10. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    O MY FRIGGIN GOD................JUST NOW GOT BACK ON LINE....SCREWED MY INTERNET CONECTION had to re-instal drivers...oh well

    when i in depth adaware it found 180 files after my safe mode...still never found the dropper.small

    that console.exe.........just says its an application file 52 mb??

    here is my updated (i think) hijackthis



    Logfile of HijackThis v1.97.7
    Scan saved at 10:03:08 PM, on 12/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\WINDOWS\System32\console.exe
    C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
    O4 - HKCU\..\Run: [console] C:\WINDOWS\System32\console.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: PowerReg Scheduler.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105


    thanks
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,


    About the Limewire; this use to come bundled with spyware but apparently they are saying their version 4 (the newest version) is spyware free. I don't use that so I cannot confirm it. But to keep limewire is definitely your choice. :)

    Let's have the Experts take a closer look at the 'console.exe' file just to be on the sure side. Please navigate to the System32 folder and zip up a copy of the console.exe file and email it to This Email Address for analysis. Include the url back to this thread in the body of the email along with a brief message.
    Send a zipped copy of it to this email also: submit@diamondcs.com.au


    You can fix this one in Hijackthis.
    O4 - Startup: PowerReg Scheduler.exe

    Reboot after doing so.

    If you are still getting an alert on dropper.small, then turn off your System Restore, reboot your computer to clear the old restore points, then turn System Restore back on and do another scan with your anti-virus.
    See instructions here for how to turn System Restore off: System Restore Instructions.

    Regards,

    snap
     
  12. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    wellllllllllllll

    i just tried to zip the file msn came on and said "file has virus on it, cannot send"

    yoiu guys are good
     
  13. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    First bring up TaskManager (ctrl+alt+del keys) and end the running process on the file. Then upload the console.exe to Kaspersky for a scan. Let's see if it says anything about it so we have some idea of what we're dealing with.

    Then try sending the zipped file again, but this time password protect it.
    If it still won't go through, you can try renaming the zipped file by right-licking it, select rename, and rename the console.zip to console.txt. You will get a message warning that the file will not be able to be run when renamed, just press OK.

    In the body of the email message make sure you give the password for the file, and state that it is infected and you've renamed the zipped file, so those receiving it will know what it is.

    While we wait to see what the Experts say about the file, rename the console.exe to console.bak so it won't run the next time you reboot your computer.

    Regards,

    snap

    fixed the wrong spelling of console.exe
     
    Last edited: Jun 13, 2004
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: newbie..help and dropper.small.AK (merged)

    both console.dll & conime.exe that you sent me appear to be genuine M$ system files

    conime is the multilanguage support

    the console.exe you tried to send was deleted by the antivirus on my email provider so that one was definitely bad

    many viruses use similar names to genuine files so that they will be hidden to most users and not removed
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi Derek, :)

    So rather than have phatkid rename the console.exe to console.bak, they should just delete it after subitting the password-protected zipped file to submit@diamondcs.com.au

    Regards,

    snap
     
  16. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    so how a i getting it off, and how do i know what one is bad?
     
  17. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    i tried to rename then move to a folder, and it just oges back to origin
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    Since Derek said it is an infected file, you can go ahead and delete it, but before deleting the file, please try sending it again to the two addresses I mentioned above, but passwording the zipped file so it will get past the antivius programs. You can keep a copy of the zipped file for a few days until we hear back from the Experts.

    Leave both the console.dll & conime.exe alone though since they are legitimte window files.

    What did the Kaspersky scan say about the console.exe?

    snap
     
  19. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    You will be able to delete the console.exe file in Safe Mode.
     
  20. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    thank you so much.........every time i tried in regular mode it just poped back up..in safe mode it killed that sucker....

    i got rid of all the console and conmine as there were copies and i could not tell what was the clean one....

    here is my new hijackthis file

    Logfile of HijackThis v1.97.7
    Scan saved at 3:37:13 AM, on 13/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: Digital Patrol Update.lnk = C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: NameServer = 192.168.2.1
    O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105

    thsi was more hassle than i like, but the two times i have taken the puter to where i got it (free)i have to reinstall everything (HUGE pain......finding registration Numbers....etc....

    lastly, i cannot delete christmas hearth.....
    wise uninstall....could not open install.log fil

    kazza....RUNDLL
    C:\WINDOWS\system32\cd_clintdll
    that should cure me for good :) i have my mcafee disc, hopefully it has uninstall


    thank you everyone so much
     
  21. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    what is the worst that would happen if i deleted files i needd??

    also, in the system 32 folder they were console.dll and conime.dll....not exe

    still couldn't delete


    p.s that safe mode is cool......wish i could read that stuff good enoughas to not bug any one.............that won't be happining

    phats
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re: newbie..help and dropper.small.AK (merged)

    I'm wondering:
    when i can't zip a file for some reason, i try tochange it's extension into .tmp so it can't run anymore and most scanners don't make problems on a tmp file (till now) But zipped password protected is the best.
    Only you said it was a 52 MB file? that is really BIG!
    What you always can do in windows explorer carefully rightclick the file to look at it's properties (i say careful to make sure you don't click and activate it unintended) and if possible details of the file, does it look like a normal MS file, was it recently modified, look at dates etc.
    If it was 52MB indeed you could not upload it at the kaspersky online checker (i love that thing, using it frequently as a second opinion); but any of your av/at scanners would have been able to scan it or an online scanner.
    It might have been an original which got infected, or an original which has code now detected as bad stuff, whatever.
    This is why i like to look for the original properties and description, so if it was said to be an original MSN messenger file (for example) you could write to MSN support and telling this story, pointing to this thread, as that saves you lot or writing :)
    If there is guaranteed nothing wrong and it is the original file scanners worldwide can exclude the file from their databases. But if it is an original and bad thing MSN has to replace it with an innocent version.
    If it got infected on your system only it's another story and removing is the only thing.

    If you lost needed files:
    If they were system files, doesn't have XP theautomatic ability to put them back, or in worse cases via system restore?
    with syustem restore all the other stuff is back too, so that is depending on the advice of the experts here.
    The worst thing could be you have to re-install a program.
    But following the exact advices from the experts here nothinhg can go wrong.

    BTW: if i don't trust a file i have the habit to send in a copy for advice of course but also to keep the file with an extra extension, like your console.exe could become console.exe.tmp so i can always find it back and i can find out if anything stops running or other errors show up with the file not being able to run.

    This is general, for this console.exe i really don't know as long there is no expert advice from the file itself. thhis version at least sounded very suspicious!

    BTW: if it was part of MSN Messenger: i have MSN messenger but no console.exe, but i didn't update it long time as i never use it and i don't run XP, so maybe other XP and MSN Messenger owners can have a look if they have such files on their system and their size, so you might feel less bad about having removed a baddy.
    When all is clean you can re-install MSN Messenger if it would have been part of that and if the program would not run properly anymore.
     
    Last edited: Jun 13, 2004
  23. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    too late...............deleted console......take no chances!!!

    i was thinking of uninstalling windows and reinstalling....... i doubt not having the files will effect me too bad...

    for future references how do we password protect a zipped file..

    snap.... i never had a chance to upload th file, sorry

    phats
     
  24. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: newbie..help and dropper.small.AK (merged)

    Hi phatkid,

    I'm a bit lost where you are at the moment as to what files you actually deleted?

    Did you delete the infected file console.exe successfully?
    Did you delete the files console.dll and conime.dll?

    The console.dll is the Control Panel Console Applet and is a legitimate Microsoft file, and needed. The file is about 65kb in size, and there should be one in the Windows\System32 folder, and one in the Windows\System32\dllcache folder (at least that is what I have on my computer)

    You may still be able to retrieve the console.dll from your Recycle Bin if you haven't emptied it, but that file should be protected by Windows so it may well have been put back by Windows after a reboot.

    I do not have a conime.dll on my XP-Home, nor can I find any information on that one, so it may well have belonged to the other infected file, console.exe.

    Have you since done a scan with your antivirus (or an on-line scan) and has everything come back clean now?

    As for how to password protect a file, here is the Microsoft article that describes that: http://support.microsoft.com/default.aspx?scid=kb;en-us;306531#4

    It would have been good to have the infected console.exe file to see exactly what it does and if it has dropped any other files that we can't see in the hijackthis log, and submit it for analysis and detection. But if you've already deleted it, then not to worry, as long as your system is clean now that's what counts.

    I have moved your other thread regarding the removal of McAfee Antivirus over into our Other Antivirus Software forum: https://www.wilderssecurity.com/showthread.php?t=36090
    You can follow-up with removing McAfee over in that thread. ;)


    Could you post a final hijackthis log so we can check it to make sure it is ok.

    Thank you.

    snap
     
  25. phatkid

    phatkid Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    110
    Location:
    Eastern ontario
    Re: newbie..help and dropper.small.AK (merged)

    yes i deleted those 2 files, but copied them from my XP master disk back to the system 32 folder....

    i did send the files, however they were not zipped, then i deleted them sorry!!!

    i thought i posted an updated log....any where here she is

    Logfile of HijackThis v1.97.7
    Scan saved at 10:35:40 PM, on 13/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
    C:\Program Files\MSN\MSNCoreFiles\msn6.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\MDG Customer\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\MDGCUS~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
    O4 - Startup: Digital Patrol Update.lnk = C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC8364F-F2D9-4F52-984D-FEEEECDB1750}: Domain = sympatico.ca
    O17 - HKLM\System\CS1\Services\Tcpip\..\{092E4EA9-DAAA-4F8C-A902-BF050FE89CCE}: NameServer = 206.47.244.53 206.47.244.105

    thanks
     
Thread Status:
Not open for further replies.