1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Another TIBS Dialer Problem

Discussion in 'Virus & Other Malware Removal' started by skiyoyo, Apr 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. skiyoyo

    skiyoyo Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    9
    I already posted this message HERE in response to another post, but I thought maybe it would be wise to create a new post:

    Hi, I'm new to TSG so here it goes:

    I some how recieved the TIBS dialer - at least that's what Ad-Aware, Spybot and pc-cillin have determined it to be. I must have removed it about 12 times using every which method. I've removed it with each one of the programs above as well as tried some manual removal of files. Here's what I have found:

    A pornographic icon appears on the desktop. The shortcut links to a C:\Program Files\WebSite Viewer\123070.exe
    I have deleted the folder "WebSite Viewer" a few times, but it keeps reappearing along with the icon on the desktop and an icon in the Start Menu.
    I did a search of my computer for the string of numbers "123070" and found some files that exist in the C:\Windows\Prefetch\ folder.
    They exist as:

    123070.DLR-38F04D8C.pf
    123070.EXE-2EFD5F5B.pf
    123070.EXE-36A4DEFC.pf

    I've also deleted these only to find them reappear later along with the desktop icon and such.

    A google search brought me once to the pest patrol site which said to manually delete these files:

    win.com
    win.com-336c371f.pf

    I did not know whether this was a good idea to delete either of these because I once had a problem running windows 98 where it wouldn't start because of a missing win.com file.

    Anyways, I really hope someone is out there who can help me with this problem. Ironically, I go to a tech high school and I am known by many to be the most computer literate student and i'm the one who ends up with an un-fixable (hopefully not) problem. Based on the instructions given in previous posts, I downloaded HijackThis and ran a scan; here are the results:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:12:30 PM, on 4/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\DefWatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\Program Files\Colligo Networks\Colligo Workgroup Edition\pwssvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\WINDOWS\System32\SxgTkBar.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\TFNF5.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINDOWS\system32\Wtablet\TabUserW.exe
    C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\inorman.IANNORMAN\My Documents\Download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: TX4 - {00000000-0000-7EBF-57C6-0BAE047EA682} - C:\WINDOWS\System32\autodisc32.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: AlwaysOnTopMaker.lnk = C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7476.4224305556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab

    Thanks,

    Ian

    Laptop running Windows XP Pro SP1
    Pentium 4 - 1.6 GHz
    512MB DDR266
    40GB HDD
    GeForce4 Go420
    CD-RW/DVD
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Okay, start off by doing the following.

    1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
    2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R279 31.03.2004 (or higher number/date). If it does not, then click here and install the file manually.
    3. Make sure the following settings are turned to ON
      -From the main window click on Start then Activate in-depth scan.
      -Click on Use custom scanning options>Customize and make sure the following options are turned on:
      Scan within archives
      Scan active processes
      Scan registry
      Scan my IE Favorites for banned URL
      Scan my host-files
    4. Click on Settings and make sure the following are enabled:
      Unload recognized processes during scanning
    5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
    6. Finally Click Proceed to save your settings.
    7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
    8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.

    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems

    Then post a new HJT Log
     
  3. skiyoyo

    skiyoyo Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    9
    OK. Thanks for the quick response Nok1. I followed you instructions to the detail. I updated both the probrams to the right versions with all the newest definitions. I saved the log of ad-aware incase you need it later, just ask and I'll post it if needed. I still know that although ad-aware says it removed all the presences of TIBS, it isn't completely off the system. I've already done this about 12 times only to have it reappear after about a day. Here's the most recent HJT log:

    Logfile of HijackThis v1.97.
    Scan saved at 12:02:20 AM, on 4/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\WINDOWS\System32\SxgTkBar.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\TFNF5.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\WINDOWS\system32\Wtablet\TabUserW.exe
    C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    C:\Program Files\NavNT\DefWatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\inorman.IANNORMAN\My Documents\Download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: TX4 - {00000000-0000-7EBF-57C6-0BAE047EA682} - C:\WINDOWS\System32\autodisc32.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Pinger] C:\Toshiba\IVP\ISM\pinger.exe /run
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: AlwaysOnTopMaker.lnk = C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    O4 - Startup: Fn-esse.lnk = C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37476.4224305556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Thanks a bunch

    I hope this will work out,

    Ian
    [email protected]
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: TX4 - {00000000-0000-7EBF-57C6-0BAE047EA682} - C:\WINDOWS\System32\autodisc32.dll
     
  5. skiyoyo

    skiyoyo Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    9
    Ok, I followed you instructions and removed:
    O2 - BHO: TX4 - {00000000-0000-7EBF-57C6-0BAE047EA682} - C:\WINDOWS\System32\autodisc32.dll
    I don't really know if that fixed anything yet. Previously, the dialer seemed to reappear one day after I had attempted to clean it using ad-aware and such. I'll be satisfied in about 2 days if I don't see any sign of the TIBS dialer. Thanks. Here is another HJT log after i did the above repair just in case:


    Logfile of HijackThis v1.97.7
    Scan saved at 12:37:09 AM, on 4/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\NavNT\DefWatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\WINDOWS\System32\TPWRTRAY.EXE
    C:\WINDOWS\System32\SxgTkBar.exe
    C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
    C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\WINDOWS\System32\TFNF5.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\Tablet.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\install.exe
    C:\Documents and Settings\inorman.IANNORMAN\My Documents\Download\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
    O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
    O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [Pinger] C:\Toshiba\IVP\ISM\pinger.exe /run
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: AlwaysOnTopMaker.lnk = C:\Program Files\AlwaysOnTopMaker\AlwaysOnTopMaker.exe
    O4 - Startup: Fn-esse.lnk = C:\Program Files\Toshiba\Windows Utilities\FNESSE32.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: PopupPopper Control Panel (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {69432678-2906-2705-1128-068943397621} -
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37476.4224305556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks

    Ian
     
  6. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Clean (y)
     
  7. skiyoyo

    skiyoyo Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    9
    I'll be satisfied in a couple days

    Ian
     
  8. jmspivey07

    jmspivey07

    Joined:
    Apr 16, 2004
    Messages:
    2
    Could you please take a look at my Hijack Log and tell me if you see anything suspicios? Somehow the Tibs Dialer got downloaded to my machine. I ran Spyware and it found it and supposedly removed it. However, in my network connections there is a dial-up connection labled TIBS16 which keeps trying to dial-out. VERY ANNOYING!

    I read your other posts and it seems like you've got a handle on this thing. Any help you could give in regards to finally getting this thing OFF my computer would be appreciated.

    Thanks,

    JS

    Here is my HiJackThis Log:
    ---------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 4:43:35 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
    C:\WINDOWS\System32\ctfmon.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\john\Application Data\Mozilla\Profiles\default\00zdbzep.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.5990393519
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ticketsxchange.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.presentationpro.com/member/PM4.0.4/XUpload.ocx
     
  9. jmspivey07

    jmspivey07

    Joined:
    Apr 16, 2004
    Messages:
    2
    Derek,

    Could you please take a look at my Hijack Log and tell me if you see anything suspicios? Somehow the Tibs Dialer got downloaded to my machine. I ran Spyware and it found it and supposedly removed it. However, in my network connections there is a dial-up connection labled TIBS16 which keeps trying to dial-out. VERY ANNOYING!

    I read your other posts and it seems like you've got a handle on this thing. Any help you could give in regards to finally getting this thing OFF my computer would be appreciated.

    Thanks,

    John

    Here is my HiJackThis Log:
    ---------------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 4:43:35 AM, on 4/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Sony\HotKey Utility\HKserv.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\WinPortrait\wpctrl.exe
    C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe
    C:\WINDOWS\System32\ctfmon.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Sony\HotKey Utility\HKWnd.exe
    C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\PowerPanel\Program\PcfMgr.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Downloads\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\john\Application Data\Mozilla\Profiles\default\00zdbzep.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [McAgentexe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [McUpdateexe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [CleanupProgram] C:\Sonysys\cleanup.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Nokia Connection Monitor] "C:\Program Files\Common Files\Nokia\NCLTools\NclConf.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: PowerPanel.lnk = ?
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.5990393519
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ticketsxchange.webex.com/client/latest/webex/ieatgpc.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.presentationpro.com/member/PM4.0.4/XUpload.ocx
     
  10. skiyoyo

    skiyoyo Thread Starter

    Joined:
    Apr 6, 2004
    Messages:
    9
    Well, it's been over a week now and I see no sign of the TIBS dialer on my machine, thanks to Nok1 and dvk01 for their help. You guys are great.
     
  11. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Hey skiyoyo, sorry for the long wait and no reply - I was on vacation and was unable to respond.

    Anyways, The log is almost clean, just need to remove the below entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\WINDOWS\start.chm::/start.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://riviera.cc (obfuscated)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)


    Good to go!
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217866

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice