Unknown Short Cut

genesis2003 · 30-Oct-2003, 05:12 PM #1

Hello,

My computer is used by several members of the family, and sometimes some wierd items appear.

Yesterday, a particular short cut appeared on my desk top, that no one admits to know. It called "NO CREDIT CARD".

I decided to see if I could remove what ever this is, but could not find it in my Control Panel "Remove/Add Programs".

I right clicked>properties and the following discription was noted:

Target type: Application

Target Location: Intern~1

Target: C:\PROGRA~1\INTERN~1\IEXPLORE.EXE C:\Program Files\Instant Access\Dialer\HTM_gEYFgVoQAAFbYhAIwdMBAwP\index.htm

Start In: "C:\Program Files\Instant Access\Dialer\HTM_gEYFgVoQAAFbYhAIwdMBAwP"

Short Cut Key: None

Run: Maximized

So I decided to look into "C:\Program Files\Instant Access" and found the file. I drag this into the trash, but I haven't emptied this until I got a hold of one of you Tech Guys, just to make sure.

I just remove this.

Is this the correct way, or am I about to goof?

--genesis2003

BillC · 30-Oct-2003, 05:27 PM #2

I've not heard of this one but frankly it seems to me that you certainly will not hurt anything by what you are doing. The issue that remains is whether or not it has a remnant left behind that will reproduce on your next boot. If so, other actions can help solve the unwanted pest. Anyway, that's my view.

bassetman · 30-Oct-2003, 05:28 PM #3

No, that is not an effective way to remove it

Go here and download update and run Adaware, SpyBot S&D, and Hijack this.
http://forums.techguy.org/t110854/s.html
Run adaware and Spyobt, then run Hijack this and post what is left.
Do not do anything with the Hijackthis files until you check with someone here!

bassetman · 30-Oct-2003, 05:29 PM #4

Anything with dialer in its name is very suspect.

Quote:

Access\Dialer\HTM_gEYFgVoQAAFbYhAIwdMBAwP\index.htm

He may need to get stuff rooted out of his registry etc.

BillC · 30-Oct-2003, 05:37 PM #5

Bassetman is so right on this one. I missed the "dialer" all together. Like I said, if it comes back, other measures need to be taken and it now sounds to me like it would indeed come back.

Isn't it great to have more than one set of blood-shot eyes looking for you?

bassetman · 30-Oct-2003, 05:40 PM #6

LOL I have needed a better eye on my posts more than once!

genesis2003 · 01-Nov-2003, 01:56 PM #7

Thanks for the reply,

Ok, I ran Spybot and removed the cookie files, I'm hesitant about removal of the "registry" info, simply because in the past I tried this and it sent my computer into a tail spin. Here what's left:

HKEY_CLASSES_ROOT\EGDialObject.EGDial
HKEY_CLASSES_ROOT\EGDHTML.EGDialHTML
HKEY_CLASSES_ROOT\CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}
HKEY_CLASSES_ROOT\{2ABE804B-4D3A-41BF-A172-304627874B45}
HKEY_CLASSES_ROOT\Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}
HKEY_USERS\.DEFAULT\RemoteAccess\Profile\access-to
HKEY_USERS\.DEFAULT\RemoteAccess\Addresses\access-to
HKEY_USERS\.DEFAULT\Software\EDDHTML
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trus t Providers\Sofware Publishin...
HKEY_CLASSES_ROOT\Typelib\{83f0D6AA-CD15-46B5-AA4e-BDB506B4AE53}
HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings\ClientID =

Now I've tried Ad-aware before and wasn't sure what to remove. I ran a custom scan as suggested on one of Winchester73 posting, the results are as follows:

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, November 01, 2003 8:58:32 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R228 27.10.2003
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R228 27.10.2003
Internal build : 153
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 674216 Bytes
Signature data size : 660947 Bytes
Reference data size : 13205 Bytes
Signatures total : 15105
Target categories : 10
Target families : 337

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:21 %
Total physical memory:130408 kb
Available physical memory:7644 kb
Total page file size:1966740 kb
Available on page file:1876640 kb
Total virtual memory:2093056 kb
Available virtual memory:2056448 kb
OS:Windows (98)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

11-1-03 8:58:32 AM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293870727
Threads : 4
Priority : High
FileSize : 460 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1991-1999
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292907875
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292904403
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:4 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292917987
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:5 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4292925391
Threads : 25
Priority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 11/23/02 2:59:38 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 11/14/02 12:44:02 AM

#:6 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292930495
Threads : 2
Priority : Normal
FileSize : 116 KB
FileVersion : 4.71.1959.1
ProductVersion : 4.71.1959.1
Copyright : Copyright (C) Microsoft Corp. 1997
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4292894523
Threads : 21
Priority : Normal
FileSize : 176 KB
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
Copyright : Copyright (C) Microsoft Corp. 1981-1997
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 4/24/99 6:22:00 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:8 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4292957875
Threads : 2
Priority : Normal
FileSize : 27 KB
FileVersion : 4.10.2224
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1993-1999
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 1/8/00 2:02:34 AM

#:9 [ptsnoop.exe]
FilePath : C:\WINDOWS\
ProcessID : 4293046255
Threads : 1
Priority : Normal
FileSize : 13 KB
FileVersion : 1.00.00
ProductVersion : 1.00.00
Copyright : Copyright PCtel,Inc.1994-200
CompanyName : PCtel, Inc
FileDescription : PTSNOOP.EXE
InternalName : PTSNOO
OriginalFilename : PTSNOOP.EX
ProductName : PTSNOOP.EX
Created on : 8/21/00 6:37:21 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/11/00 3:35:36 PM

#:10 [starter.exe]
FilePath : C:\WINDOWS\
ProcessID : 4293058079
Threads : 1
Priority : Normal
FileSize : 32 KB
FileVersion : 5.00.03
ProductVersion : 5.00.03
Copyright : Copyright
CompanyName : Creative Technology, Ltd.
FileDescription : This program launches the mixer application.
InternalName : starter
OriginalFilename : starter.exe
ProductName : starter
Created on : 6/21/00 7:27:23 PM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 2/9/00 3:50:24 PM

#:11 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4293044403
Threads : 24
Priority : Normal
FileSize : 53 KB
FileVersion : 1.03.15
ProductVersion : 1.03.15
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 11/23/02 2:59:38 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 11/15/02 3:29:06 AM

#:12 [stimon.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293022551
Threads : 3
Priority : Normal
FileSize : 112 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1996-1998
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
OriginalFilename : STIMON.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:13 [evntsvc.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4293029375
Threads : 2
Priority : Normal
FileSize : 143 KB
FileVersion : 0.1.0.880
ProductVersion : 0.1.0.880
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : evntsvc.EXE
ProductName : RealOne Player (32-bit)
Created on : 2/2/03 4:51:42 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 2/2/03 4:51:44 AM

#:14 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293130735
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:15 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293069627
Threads : 6
Priority : Normal
FileSize : 120 KB
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:16 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293109959
Threads : 4
Priority : Normal
FileSize : 44 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:17 [lexbces.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293182415
Threads : 6
Priority : Normal
FileSize : 280 KB
FileVersion : 5,12,00,00
ProductVersion : 5,12,00,00
Copyright : (C) 1993 - 2000 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 7/26/00 2:56:49 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 5/9/00 6:44:26 PM

#:18 [rpcss.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293178427
Threads : 5
Priority : Normal
FileSize : 20 KB
FileVersion : 4.71.2900
ProductVersion : 4.71.2900
Copyright : Copyright (C) Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
OriginalFilename : rpcss.exe
ProductName : Microsoft(R) Windows NT(TM) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:19 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293145063
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
Copyright : Copyright (C) Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows NT(R) Operating System
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:20 [iexplore.exe]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4293110323
Threads : 19
Priority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/02 8:00:00 AM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 8/29/02 8:00:00 AM

#:21 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293094983
Threads : 6
Priority : Realtime
FileSize : 48 KB
FileVersion : 4.06.03.0518
ProductVersion : 4.06.03.0518
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : ddhelp.exe
OriginalFilename : ddhelp.exe
ProductName : Microsoft
Created on : 1/1/01
Last accessed : 11/1/03 8:00:00 AM
Last modified : 4/24/99 6:22:00 AM

#:22 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4293357547
Threads : 3
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 11/1/03 4:00:22 PM
Last accessed : 11/1/03 8:00:00 AM
Last modified : 7/13/03 6:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0

Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .default\Software\EGDHTML

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{2ABE804B-4D3A-41BF-A172-304627874B45}

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{486E48B5-ABF2-42BB-A327-2679DF3FB822}

CometCursor Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{6F2D6A5E-E3E7-4F18-887C-C777650DEF57}

CometCursor Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{7F0F5DA7-84CB-11D4-8137-00500487B1C5}

CometCursor Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{827A2ECE-D76F-4BCC-82ED-D6A287C11211}

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}

CometCursor Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{A335D52F-D489-472D-9EAA-D72A40AAF7CA}

CometCursor Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : CLSID\{C38FC998-3B1B-4F59-A710-5A6C9CF8BD92}

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : EGDHTML.EGDialHTML

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : EGDHTML.EGDialHTML.1

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : EGDialObject.EGDial

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : EGDialObject.EGDial.1

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{2F668A6D-2EC7-4E3A-A485-819E210738D6}

Marketscore(Netsetter) Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Interface\{F88527E2-A8A7-4227-8683-05CFA4EEC511}

Marketscore(Netsetter) Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : Nsconfig.nsBrowserConfig.2

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : Software\EGDHTML

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{486E48B5-ABF2-42BB-A327-2679DF3FB822}

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{94742E3F-D9A1-4780-9A87-2FFA43655DA2}

Alexa Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

Marketscore(Netsetter) Object recognized!
Type : RegKey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Netsetter

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : TypeLib\{83F0D6AA-CD15-46B5-AA4E-BDB506B4AE53}

Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

Windows Object recognized!
Type : RegData
Data :
Category : Data Miner
Comment : MediaPlayer Unique ID
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\MediaPlayer\Player\Settings
Value : Client ID
Data :

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 24
Objects found so far: 24

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Dialer Object recognized!
Type : RegKey
Data : ELECTRONIC GROUP
Category : Malware
Comment : EGroup
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0

e-Group Object recognized!
Type : RegKey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/SYSTEM/EGDHTML_1021.dll

e-Group Object recognized!
Type : File
Data : egdhtml_1021.dll
Category : Malware
Comment :
Object : c:\windows\system\
FileSize : 47 KB
Copyright : /

Here's the log info from "HijackThis":

Logfile of HijackThis v1.91.2
Scan saved at 9:20:34 AM, on 11/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=2c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src "); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binarie...ML_US_pack.cab

This stuff is lengthy, I hope you guys don't give up on me. Thanks!!

Genesis2003Now I've tried Ad-aware before and wasn't sure what to remove. I ran a custom scan as suggested on one of Winchester73 posting, the results are as follows: Here's the log info from "HijackThis":

**dvk01** · 01-Nov-2003, 02:35 PM #8

allow adaware to remove EVERYTHING it has found

you have a very out of date version of Hijackthis that will not show the current crop of baddies

please do thisgo to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Flrman1 · 01-Nov-2003, 02:36 PM #9

Any of those that Adaware found can safely be removed. You definitely have some nasties.

We need to see an up to date Hijack This log. Go to the link below and get the latest version.

Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

genesis2003 · 01-Nov-2003, 04:01 PM **#10**

I just allowed adaware to remove EVERYTHING, as posted by Dvk01.

I downloaded 1.97.0003 version of "HijackThis" > scanned > save log - except a message box poped-up, which states: "There was a problem loading the file specified when running the accessability wizard".

I can't open this log, why?

--genesis

genesis2003 · 01-Nov-2003, 04:03 PM **#11**

Ok, I found a work around.

Here's the "HijackThis info:

Logfile of HijackThis v1.97.3
Scan saved at 11:52:56 AM, on 11/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...rchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/...nsumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/r...rchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...rchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src "); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n7vdz7wp.slt\prefs.js)
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [SDetect.exe] C:\WINDOWS\Twain_32\ScanWiz5\SDetect.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\RunOnce: [test]
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservices.msn.com/us/smtptool/MailCfg.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

bassetman · 01-Nov-2003, 05:57 PM **#12**

May want to wait for more advice, but I'd lose these:
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Not sure if you want to keep these or not, your call:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/...bar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/...bar&LC=0409

RE: ptsnoop.exe look here
http://www.p-r-f.com/sites/ptsnoop_exe.htm

Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!