Help with Trojan Downloaders

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

I seem to have got myself Downloader.keenval.D and revop.C that AVG doesn't deal with.
I have a prog called WUPDATER.EXE flash in a DOS box briefly every time I boot XP. It just seems to return every time it gets deleted.

I have a Hijackthis! log and I would be extremely grateful for some advice for a novice from an expert.....hope you can help

Logfile of HijackThis v1.97.7
Scan saved at 17:17:12, on 04/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\ld.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\JacksonBroddle\Desktop\Ian's Folder\hijackthis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ld] C:\WINDOWS\ld.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...999.544375
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh...wflash.cab

Yellowhammer · Posted: Fri Jun 04, 2004 6:49 pm Post subject:

When we are finished you need to get to the windows update site and download all the critical updates. Your system is very out of date.

Boot to safe mode.

Right click on the taskbar and open taskmanager.
Go to applications and/or processes and end task on the following if running:

ld.exe

Then close all windows and have hijackthis fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = <3Cby-Kbxci1"E<3Yeh-h|xh~yhi-X_A-"ai"ai#~k-zl~-cby-kbxci-bc-yed~-~

R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [ld] C:\WINDOWS\ld.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\system\intralaunch.CAB

Then while in safe mode delete the following:

The folder in C:\Program Files\ that begins with INCRED..
C:\Program Files\Common files\updater <-Folder
C:\WINDOWS\ld.exe <-File

Then browse to the C:\documents and settings\JacksonBroddle\local settings\temp folder and delete all files and folders in it.
Then browse to the C:\Windows\Temp folder and delete all files in it.
Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Reboot,

Then

Download ad-aware here -> http://fileforum.betanews.com/detail.php3?fid=965718306

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

Click the "Tweak" button.

Open up the "Scanning Engine" section and tick "Unload recognized processes during scanning"

Then........"Cleaning engine" and "Let windows remove files in use at next reboot" and "Automatically try to unregister objects prior to deletion"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Next" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

Then,

Download SPYBOT Search and Destroy here-> http://www.safer-networking.org/index.php?page=mirrors
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the "Check for Problems" button. When the Check is over All problems displayed in red are regarded as real threats and should be dealt with. Make sure they are all selected and click the "Fix selected problems" button.

Then post another log.

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

Thanks for this, i just have a question? I can only see ld.exe in task amnager and the ref in Hijackthis! log when I am in normal mode. Safe mode doesn't show them.
Do I carry the instructions out in normal mode if this is the only way to see them?

Sorry its a basic question, but the help is appreciated.

Yellowhammer · Posted: Sat Jun 05, 2004 7:45 am Post subject:

It does not surprise me that ld.exe is not running in safe mode. Go ahead and delete the file while in safe mode. Then go back to normal mode and remove the hijackthis entry.

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

Thanks for the help so far.

I have carried out what you described, I think. The only prob was that i didn't see a c:\documents and settings\jacksonbroddle\local settings\temp folder, so i deleted the cookie files in the cookie folder under that dir tree.

New Hijackthis! log follows - Can you advise how things are progressing?
Many thanks

Logfile of HijackThis v1.97.7
Scan saved at 15:52:37, on 05/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\JacksonBroddle\Desktop\Ian's Folder\hijackthis!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...999.544375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D30F60D3-8B4F-4903-B17D-2844F330D823}: NameServer = 195.92.195.95 195.92.195.94

Yellowhammer · Posted: Sat Jun 05, 2004 11:15 am Post subject:

It looks clean now. The temporary files I wanted you to delete are in: C:\Documents and Settings\xxxxxx\Local Settings\Temp. xxxx is each user that has an account. All these temp files should be deleted.

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

Don't know if i really should add an extra...but i hope all info helps you.

AVG now only claims to find revop.C but i am unable to remove the file it claims needs removing at C:\windows\system32\bdll4012.exe

No referrences have been made by AVG to keenval.B or C or D.

Hurahh.

Hope you don't mind this extra, I am very sure you know your work well.

eebo

Yellowhammer · Posted: Sat Jun 05, 2004 12:15 pm Post subject:

I don't see anything running in your processes that is bad or in your hijackthis log. Why don't you run the online virus scanner Housecall and see what it finds. Housecall: http://housecall.trendmicro.com/

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

Thanks for that feedback. I have run Housecall and it found one infected file HTML objectexp.A non cleanable at c:\docs and settings\jacksonbroddle\local settings\temporary internet files\content.IE5\QUI7XYED\wbk58.tmp

I asked it to remove this file and it has.

Problem. Seem to still get pop up messages from AVG antivirus that it detects keenval.B or.C and revop.C . Any reason for this?

Would this still be a worry for my security. Shall still persevere with XP updates? Dial-up just means i get bored, but I now see the light regarding the updates....

Hope you can advise about what is happening. Your help is still appreciated.

Below is most recent hijackthis! log
Logfile of HijackThis v1.97.7
Scan saved at 23:53:19, on 05/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\JacksonBroddle\Desktop\Ian's Folder\hijackthis!\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [hpppta] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52...scan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...999.544375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D30F60D3-8B4F-4903-B17D-2844F330D823}: NameServer = 195.92.195.95 195.92.195.94

Yellowhammer · Posted: Sat Jun 05, 2004 7:09 pm Post subject:

My guess it that AVG is seeing these in your system restore files. This is a good time to purge them as your system is clean. To do this: Disable System Restore, Reboot, Enable System Restore: Disable system restore.

Instructions here.

eebo · Cadet Joined: Jun 04, 2004 Posts: 6 Location: UK

Thanks for all the help. System restore has been purged.

Housecalls runs as a clean system
AVG no claims to see no problem
I don't see any problems running when surfing.

Lesson learnt? Yup, don't install Freeware / Shareware that you can't trust.
I'll bang on and get the Windows updates.

Thank again, have a good summer Mr Yellowhammer.
Any last tips before you sign off?

Yellowhammer · Posted: Sun Jun 06, 2004 7:11 am Post subject:

Your Welcome.

THe only other tips I have are to use spywareblaster, spywareguard, and IE Spyad. Links to all of these are below my signature.

lilliebet65 · Posted: Sun Jun 06, 2004 8:57 am Post subject:

Glad we were able to help. Smile

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.

To reduce the chances of future Spyware/Hijacking problems, please follow the suggestions here: http://www.computercops.biz/postt7736.html


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 611 pages served in previous 5 minutes. Page Rendered: 0.627 seconds.