Trojan Horse Backdoor.Flux.I

Discussion in 'Trojan Defence Suite' started by BlkScpn, Nov 11, 2004.

Thread Status:
Not open for further replies.
  1. BlkScpn

    BlkScpn Registered Member

    Joined:
    Nov 11, 2004
    Posts:
    5
    Location:
    Virginia
    I keep getting a Virus warning and AVG keeps finding it and fixing it then the shield pops up again saying it is back when i tried to get my TDS-3 to scan it finds nothing..... So what do i do now? the following is my test results and whatnot:
    ---------------------------------------------------
    Results of Complete Test, date and time 11/10/2004 6:02:20 :

    Testing C:\ serial F0BE-7B6D
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\Documents and Settings\unknown\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\unknown\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\unknown\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\unknown\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\WINDOWS\SoftwareDistribution\EventCache\{25C9115E-B0C9-4119-BF2F-D79EB49E8977}.bin Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\WINSET32.EXE repaired<----- It didn't !!
    C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\DRIVERS\ATAPI.SYS Cannot open; not checked!

    Test finished, duration 00:17:02.4 s
    26853 objects tested, 1 found infected

    ----------------------------------------------------------
    Any Info will be greatly appreciated!
     
  2. BlkScpn

    BlkScpn Registered Member

    Joined:
    Nov 11, 2004
    Posts:
    5
    Location:
    Virginia
    Here is the hijackthis log after i scanned too:
    -----------------------------------------------
    Logfile of HijackThis v1.98.2
    Scan saved at 12:29:58 AM, on 11/11/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    c:\program files\internet explorer\iexplore.exe
    C:\WINDOWS\System32\rmctrl.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\program files\steam\steam.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Garry\LOCALS~1\Temp\Rar$EX00.625\HijackThis.exe
    C:\Program Files\Ventrilo\Ventrilo.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://users.adelphia.net/~blackscpn
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [winset16] C:\WINDOWS\system32\winset32.exe
    O4 - HKLM\..\RunOnce: [*winset16] C:\WINDOWS\system32\winset32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [winset16] C:\WINDOWS\system32\winset32.exe
    O4 - HKCU\..\RunOnce: [*winset16] C:\WINDOWS\system32\winset32.exe
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.2.21/canasta/canasta-ob-assets.cab
    O16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.1.20/ccstrike/ccstrike-ob-assets.cab
    O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-6.0.0.25/domino/domino-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.1.20/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.0.25/gin/gin-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.2.21/flinger/flinger-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.0.25/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
    O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi BlkScpn,
    Disable AVG's resident components and try again. If that does not succeed
    you will have to follow the course of action found at the link below as you may have some things that TDS3 does not cover.
    https://www.wilderssecurity.com/showthread.php?t=50662
    Also there is a Flux removal tool available, Google for flux removal tool.

    HTH Pilli
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    most av's won't fix flux infections

    first of all zip Up and send this file to submit@diamondcs.com.au

    C:\WINDOWS\system32\winset32.exe

    DO NOT FIX anything until that is done so TDS can add detections and a cure to TDS

    ignore the can't open files as that is nothing apart from windowes log files which are always locked

    I am not convinced it is flux but a different trojan that rebuilds itself easily but this should cure it

    Download pocket killbox from http://download.broadbandmedic.com/Killbox.exe put it on the desktop where you can find it easily

    now run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting. Then press the red X button, when it says reboot now, say no yes
    C:\WINDOWS\system32\winset32.exe

    when it reboots
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked



    O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [winset16] C:\WINDOWS\system32\winset32.exe
    O4 - HKLM\..\RunOnce: [*winset16] C:\WINDOWS\system32\winset32.exe

    O4 - HKCU\..\Run: [winset16] C:\WINDOWS\system32\winset32.exe
    O4 - HKCU\..\RunOnce: [*winset16] C:\WINDOWS\system32\winset32.exe

    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binari...thv32_EN_XP.cab
    http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
    O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB


    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot &

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R18 08.11.2004 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.


    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/
    http://www.bitdefender.com/scan/licence.php
    http://www.commandondemand.com/eval/index.cfm
    http://www.freedom.net/viruscenter/onlineviruscheck.html
    http://info.ahnlab.com/english/
    http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

    reboot again
    and that should clear it
     
  5. BlkScpn

    BlkScpn Registered Member

    Joined:
    Nov 11, 2004
    Posts:
    5
    Location:
    Virginia
    It isnt letting me zip this file says it is write protected and also i noticed it has something to do with ms-dos. dont understand why i cant zip it but i cant.
     
  6. BlkScpn

    BlkScpn Registered Member

    Joined:
    Nov 11, 2004
    Posts:
    5
    Location:
    Virginia
    SWEET, i got it thanks to your help! killbox,hijackthis,and delete got it ! Thanks for saving my life :) i owe ya one!
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    post a new log to check it's gone please
     
  8. BlkScpn

    BlkScpn Registered Member

    Joined:
    Nov 11, 2004
    Posts:
    5
    Location:
    Virginia
    Logfile of HijackThis v1.98.2
    Scan saved at 5:18:34 PM, on 11/12/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\rmctrl.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\program files\steam\steam.exe
    C:\WINDOWS\system32\npkagt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\----\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://users.adelphia.net/~blackscpn
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-6.0.0.32/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.2.21/canasta/canasta-ob-assets.cab
    O16 - DPF: Command and Conquer Comanche by pogo - http://game4.pogo.com/applet-6.0.1.20/ccstrike/ccstrike-ob-assets.cab
    O16 - DPF: ConferenceRoom Java Client - http://irc.theamateurchat.com/java/cr.cab
    O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-6.0.0.25/domino/domino-ob-assets.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-6.0.1.20/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.0.25/gin/gin-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.2.21/flinger/flinger-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.0.2.21/pinochle/pinochle-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.0.25/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    looks all clear now
     
Thread Status:
Not open for further replies.