1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PSW.Dumarin.C (possible typo)

Discussion in 'Virus & Other Malware Removal' started by Wenchie, May 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    Okay helping a friend via long distance phone calls and the random email. This is the only info I have, if someone could shed some light on this and help, we both would appreciate it. Here is the email she was able to send:

    "Still messing with that damn trojan. AVG sees it and asks the usual, delete, heal, or move to vault. No matter how many times I choose delete, or heal or even move, it comes back again and again. This is what was causing my IE to try and dial out (at least, that's what I get from looking online for info on this damned thing) and share my info with the hacker. Avast does not seem to see...this file. It is saving itself (and apparently restoring itself) in my Windows folder as a dll file. prntsvr.dll to be exact.

    The name AVG gives is PSW.Dumarin.C. The last thing I tried was to turn my
    system restore off, delete the file and re-start... but guess what? lol, Yep, it is still there. *sigh* Why do people have to make these things???"

    ------------end of message--------------
    Looking around for info I found only ONE place (so far) that had any info about it, and that is assuming she misspelled the name of the thing...

    Name: Win32.Dumaru.B/[email protected]
    Aliases: W32.Dumaru.B/C | W32/Dumaru.b/[email protected] | W32/Dumaru-B

    I think she mis-spelled the name, because Google found nothing about her original file name..

    I found info here: http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=160

    And a free removal tool here, which I've downloaded: http://www.bitdefender.com/html/free_tools.php?menu_id=20&letter=&page=2

    Should I try to get this to her or do you guys have a better idea. We are clueless at this point.

    Thanks for your help...
     
  2. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Can you have her either post or email you her HiJack This scan log?

    Instructions are as follows:

    Go to http://tomcoyote.org/hjt/ or http://lurkhere.com/~nicefiles and download HiJackThis. Use Winzip to unzip it, then install and run it.

    NOTE: HiJackThis.exe file SHOULD be installed in it's own folder. Before downloading create a folder and name it HiJackThis then d/l HiJackThis to that folder.

    The reason for it's own folder is because HiJackThis will create not only log files, but a backup of whatever it removes so you can restore if necessary. If you d/l HiJackThis to your desktop and run it from there you will have log and backup files scattered all over your desktop.

    To run, click the "Scan" button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. Most of what it finds is harmless, so do not do anything yet. Someone will be glad to help you sort out any of the not so good items that may be in there.

    IF you get an error saying msvbvm60.dll is missing,
    Download and run the MS visual basic 6.0 runtime files
     
  3. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    Logfile of HijackThis v1.97.7
    Scan saved at 7:07:45 PM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Pamela's Programs\Avast\aswUpdSv.exe
    C:\Pamela's Programs\Avast\ashServ.exe
    C:\PAMELA~1\AVG\avgamsvr.exe
    C:\PAMELA~1\AVG\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\netdc.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Ideal calander\Calendar.exe
    C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Paid Response\IP Ad Killer\ipads.exe
    C:\PAMELA~1\AVG\avgcc.exe
    C:\PAMELA~1\AVG\avgemc.exe
    C:\Pamela's Programs\LinkCrafter\Periodic.exe
    C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\Msroot.exe
    C:\PAMELA~1\Avast\ashDisp.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    C:\Pamela's Programs\WordWeb\wweb32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Pamela's Programs\myie2final\myie2_08350_zip\MyIE.exe
    C:\Documents and Settings\Michael Stearns\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Pamela's Programs\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PAMELA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Pamela's Programs\SnagIt 6\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [IDEAL Calendar] "C:\Program Files\Ideal calander\Calendar.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\WinPoET Broadband Connection\WrDialer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IPAds] C:\Paid Response\IP Ad Killer\ipads.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PAMELA~1\AVG\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PAMELA~1\AVG\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PAMELA~1\AVG\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [LinkPlanner] C:\Pamela's Programs\LinkCrafter\Periodic.exe
    O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton Uninstall Deluxe\NINIT.EXE
    O4 - HKLM\..\Run: [NSystemMonitor] C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Msroot.exe] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [IMClass] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [Msrootup.exe] C:\WINDOWS\System32\Msrootup.exe
    O4 - HKLM\..\Run: [Msrootocx.exe] C:\WINDOWS\System32\Msrootocx.exe
    O4 - HKLM\..\Run: [TypeChargeRun] C:\Program Files\NCH Swift Sound\TypeCharge\tcharge.exe /logon
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [avast!] C:\PAMELA~1\Avast\ashDisp.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    O4 - Startup: netdb.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: WordWeb.lnk = C:\Pamela's Programs\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize &Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Pamela's Programs\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Pamela's Programs\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - C:\Paid Response\GetRight\GRdownload.htm
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open with GetRight Browser - C:\Paid Response\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Save Forms &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &^ (HKLM)
    O9 - Extra button: PopStop (HKLM)
    O9 - Extra 'Tools' menuitem: &PopStop (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: IEToolbar - http://www.adlandpro.com/toolbar/ietoolbar.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {642ACB32-23DA-11D5-80CF-0050DA680987} (HearMe Voice Client Control (Firewall)) - http://www.globalcomm.ws/vdk3.0/vccfe.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.7992939815
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    OK, I think I have some info for you and it's not that good. The worm is called DUMARU.AI and it's a nasty one.

    Description:

    This worm logs keystrokes and gathers information from the infected system, sending these to a remote malcious user via email. It also gathers clipboard and protected storage data, as well as user information related to E-gold bank accounts and Web money.

    It can also send the following system information to a particular Web site:
    Storage data
    Internet Explorer Version
    Operating System and version
    IP address
    Screen Capture

    This worm also modifies the system's HOSTS file, preventing users to access antivirus Web sites to upgrade their antivirus patterns.

    It runs on Windows 95, 98, NT, ME, 2000, and XP.

    The tip off were these lines in the HJT log

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

    Go to Trendmicro for more information on the worm and it's removal.

    http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_DUMARU.AI
     
  5. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Run HJT and check these two entries and have HJT fix them.

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

    Next open system.ini in NotePad and make the following change. Remove/delete the part of the line that is bolded.

    Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

    This should stop it from running.

    REBOOT

    Next, go to C:\Windows\System32 and delete netdc.exe. This may have to be done in safe mode. From there follow the removal instructions at the Trendmicro link.

    Since this is a key logger that phones home, lets take care of it first and then come back and clean up anything else in the HJT log. This one is the PRIORTY.
     
  6. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Here is a link to the Symantec site with some additional info.

    http://www.symantec.com/avcenter/venc/data/backdoor.nibu.e.html

    Note: It is not uncommon for different antivirus companies to call the same infection by different names. Symantec calls it mibu.e but if you look at the write ups at both Trendmicro and Symantec you will see it is the same thing.
     
  7. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    NiteHawk, we cannot thank you enough. Pamela is in the process of doing all of the things suggested. We will let you know, as soon as we can.

    Thanks again, you guys are absolutely great and always so helpful!
     
  8. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    Okay while she was scanning as suggested at the TrendMicro site she found a new worm called I-Worm/Klez.H

    Could you please advice which one we should try to combat first? Should we continue with the original instructions or take different action?
     
  9. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    If the scan won't take care of both during the same scan, I would take care of the original one first since it is a key stroke logger. Then the new one.

    Once the worms and trojans are taqken care of we can go back and clean up the rest of the HJT log.
     
  10. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    Okay sorry but the last entry was inaccurate...

    The scan at TrendMicro congratulated her on a clean scan it was the AVG that caught the problems. It is the only one that is picking both of these things up.
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    You have just underscored the reason that it never hurts to get a second opinion from another AV company when you think you are infected or are having problems. (y)

    Here are several places that you can do a free online scan. The advantage is that with the online sites the definations are updated daily.

    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
     
  12. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    All suggestions have been followed, she has done all the scans and followed all of the instructions on removal that were given. All of the online scans are coming up clean, however AVG is still saying she has the trojan. AVG has given no warning yet of the last worm I listed (I-Worm/Klez.H).

    Here is the new HJT Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:33:08 PM, on 5/22/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Pamela's Programs\Avast\aswUpdSv.exe
    C:\Pamela's Programs\Avast\ashServ.exe
    C:\PAMELA~1\AVG\avgamsvr.exe
    C:\PAMELA~1\AVG\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Paid Response\IP Ad Killer\ipads.exe
    C:\PAMELA~1\AVG\avgcc.exe
    C:\PAMELA~1\AVG\avgemc.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\Pamela's Programs\LinkCrafter\Periodic.exe
    C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\System32\Msroot.exe
    C:\PAMELA~1\Avast\ashDisp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    C:\Pamela's Programs\WordWeb\wweb32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Michael Stearns\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Pamela's Programs\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PAMELA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Pamela's Programs\SnagIt 6\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [IDEAL Calendar] "C:\Program Files\Ideal calander\Calendar.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\WinPoET Broadband Connection\WrDialer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IPAds] C:\Paid Response\IP Ad Killer\ipads.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PAMELA~1\AVG\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PAMELA~1\AVG\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PAMELA~1\AVG\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [LinkPlanner] C:\Pamela's Programs\LinkCrafter\Periodic.exe
    O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton Uninstall Deluxe\NINIT.EXE
    O4 - HKLM\..\Run: [NSystemMonitor] C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Msroot.exe] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [IMClass] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [Msrootup.exe] C:\WINDOWS\System32\Msrootup.exe
    O4 - HKLM\..\Run: [Msrootocx.exe] C:\WINDOWS\System32\Msrootocx.exe
    O4 - HKLM\..\Run: [TypeChargeRun] C:\Program Files\NCH Swift Sound\TypeCharge\tcharge.exe /logon
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [avast!] C:\PAMELA~1\Avast\ashDisp.exe
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    O4 - Startup: netdb.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: WordWeb.lnk = C:\Pamela's Programs\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize &Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Pamela's Programs\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Pamela's Programs\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - C:\Paid Response\GetRight\GRdownload.htm
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open with GetRight Browser - C:\Paid Response\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Save Forms &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &^ (HKLM)
    O9 - Extra button: PopStop (HKLM)
    O9 - Extra 'Tools' menuitem: &PopStop (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: IEToolbar - http://www.adlandpro.com/toolbar/ietoolbar.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {642ACB32-23DA-11D5-80CF-0050DA680987} (HearMe Voice Client Control (Firewall)) - http://www.globalcomm.ws/vdk3.0/vccfe.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.7992939815
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249



    Pamela has decided to call it a night and will resume again in the morning. I will be keeping an eye open for any new advice you may have. Once again NiteHawk, we both can't thank you enough!
     
  13. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    This is not a complete list, but it has the most important ones.

    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing

    F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe


    See my commentes in post #5 as to how to edit the system.ini file


    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    Reminder to register Creative Labs SoundBlaster Live! cards

    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe

    O4 - Startup: netdb.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?



    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  14. Wenchie

    Wenchie Thread Starter

    Joined:
    Mar 12, 2004
    Messages:
    21
    Okie dokie, she did everything you said to do, and everything on her end seems to be going good so far. No sign of any worms since this morning, which was prior to following your latest instructions. Below is the new HJT log. If everything looks good to you, she wants to know if she can turn her system restore back on?


    Logfile of HijackThis v1.97.7
    Scan saved at 10:06:34 AM, on 5/23/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Pamela's Programs\Avast\aswUpdSv.exe
    C:\Pamela's Programs\Avast\ashServ.exe
    C:\PAMELA~1\AVG\avgamsvr.exe
    C:\PAMELA~1\AVG\avgupsvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Paid Response\IP Ad Killer\ipads.exe
    C:\PAMELA~1\AVG\avgcc.exe
    C:\PAMELA~1\AVG\avgemc.exe
    C:\Pamela's Programs\LinkCrafter\Periodic.exe
    C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
    C:\WINDOWS\System32\Msroot.exe
    C:\PAMELA~1\Avast\ashDisp.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    C:\Pamela's Programs\WordWeb\wweb32.exe
    C:\Documents and Settings\Michael Stearns\Desktop\hijackthis1977\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {00000000-0007-5041-4354-0020e48020af} - C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Pamela's Programs\Pop-Up Stopper Companion\popupus.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PAMELA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Pamela's Programs\SnagIt 6\SnagItIEAddin.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [IDEAL Calendar] "C:\Program Files\Ideal calander\Calendar.exe"
    O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\WinPoET Broadband Connection\WrDialer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IPAds] C:\Paid Response\IP Ad Killer\ipads.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PAMELA~1\AVG\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PAMELA~1\AVG\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PAMELA~1\AVG\avgregcl.exe /BOOT
    O4 - HKLM\..\Run: [LinkPlanner] C:\Pamela's Programs\LinkCrafter\Periodic.exe
    O4 - HKLM\..\Run: [NInit] C:\Program Files\Norton Uninstall Deluxe\NINIT.EXE
    O4 - HKLM\..\Run: [NSystemMonitor] C:\Program Files\Norton Uninstall Deluxe\SYMMON.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PAMELA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [Msroot.exe] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [IMClass] C:\WINDOWS\System32\Msroot.exe
    O4 - HKLM\..\Run: [Msrootup.exe] C:\WINDOWS\System32\Msrootup.exe
    O4 - HKLM\..\Run: [Msrootocx.exe] C:\WINDOWS\System32\Msrootocx.exe
    O4 - HKLM\..\Run: [TypeChargeRun] C:\Program Files\NCH Swift Sound\TypeCharge\tcharge.exe /logon
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [avast!] C:\PAMELA~1\Avast\ashDisp.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: 12Ghosts Popup-Killer.lnk = C:\Pamela's Programs\Pop Up Stopper\12Ghosts\12popup.exe
    O4 - Startup: WordWeb.lnk = C:\Pamela's Programs\WordWeb\wweb32.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Customize &Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Pamela's Programs\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Pamela's Programs\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download with GetRight - C:\Paid Response\GetRight\GRdownload.htm
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Open with GetRight Browser - C:\Paid Response\GetRight\GRbrowse.htm
    O8 - Extra context menu item: Save Forms &^ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &^ (HKLM)
    O9 - Extra button: PopStop (HKLM)
    O9 - Extra 'Tools' menuitem: &PopStop (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: FlashGet (HKLM)
    O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O16 - DPF: IEToolbar - http://www.adlandpro.com/toolbar/ietoolbar.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {642ACB32-23DA-11D5-80CF-0050DA680987} (HearMe Voice Client Control (Firewall)) - http://www.globalcomm.ws/vdk3.0/vccfe.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.7992939815
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0E5F3F10-6E82-48C4-A6E7-A27A1E4C103B}: NameServer = 209.206.160.254 209.206.184.249


    NiteHawk, I want to thank you so much for the time, effort and research you have done on our behalf, we would have been so lost without you.
     
  15. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Yes, she can turn System Restore back on and create a new restore point.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/231604

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice