1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Spyware? HJT log attached

Discussion in 'Virus & Other Malware Removal' started by rickyd, Sep 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. rickyd

    rickyd Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    2
    I suspect that there is spyware of some kind installed on my computer. An individual has been displaying knowledge that shouldn't be available unless they're tracking my internet communications.

    A couple of weeks ago, I had a Welchia virus. My Virus detection and Firewall detected it immediately, and I used Symantecs removal tool. Since then, my internet connection stops working about twice a day. I'm noticing a lot of traffic on ports 137-9, even though I supposedly have these blocked via my firewall. Just before my connection stops working, I see a lot of UDP traffic outward from my PC to port 1900 at 239.255.255.250 and from various ports on my PC to the same port number on 127.0.0.1, which seems to be a self-loop. The offending UDP traffic originates in srvhost.exe.

    I've run Ad-Aware, Spybot and Hijack This to try to identify the problem, but nothing turns up. I'm running Symantec Antivirus Corporate Edition, Kerio Personal Firewall, and SpywareGuard, all with the latest definitions, and none of which has made a peep since Welchia came to visit.

    If anyone can help me understand this, I'm greatly indebted. I've spent hundreds of hours online trying to figure out what's going on.

    Hijackthis.log:

    Logfile of HijackThis v1.96.4
    Scan saved at 4:50:12 AM, on 9/22/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Atomic Clock Sync\Atomic.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Eclipse\eclipse\eclipse.exe
    C:\WINDOWS\system32\javaw.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
    C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\spider.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\g73t1q6r.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\g73t1q6r.slt\prefs.js)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
    O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.1597685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Welcome to TSG, Rickyd

    Restart Hijack this and put check mark next to the following

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe
    O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe

    Click Fix Checked

    As you are running XP, You may also want to have a look at this page
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.rd.yahoo.com/customize/ym...://my.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

    O4 - HKLM\..\Run: [RCSync] C:\Program Files\RCPrograms\RCSync.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE


    Comments:
    This would seem to be a source of unending popups and Spam email.

    RCSync.exe PrizeSurfer related. "PrizeSurfer is the free software that automatically enters you to win cash and prizes just for surfing the web and shopping online!" Reportedly stealth installed

    Known resource hog:

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE

    Do you use fax all the time, everyday?

    As for the Atomic clock, it's fine, just check that it isn't going out to sync more than once a day.


    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    To remove Microsoft messenger Service....the source of a lot of anoying pop-ups, do the following:

    1. Click Start->Control Panel
    2. For Category View only (skip this step for Classic View), click Performance and Maintenance
    3. Click Administrative Tools
    4. Double-click Services
    5. Scroll down and highlight "Messenger"
    6. Right-click the highlighted line and choose Properties
    7. Click the STOP button.
    8. Select Disabled or Manual on the Startup Type drop-down menu
    9. Click OK
     
  5. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  6. rickyd

    rickyd Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    2
    Wow. You guys are great. Thanks for all the help.

    I think I've done just about everything that was suggested. When I reboot, I still get a flurry of UDP activity. I get exactly the same activity immediately before the periodic problem of my internet connection crashing. When I say crashing, I mean I can no longer use it. Browsers, chat windows, etc. don't work. But the connection seems to still be there, and my firewall shows there's activity going on. The activity all originates with svchost.exe. Is there any way to find out exactly which service is sending the data?

    I also still see a lot of activity 137 and 138, even though I've blocked those with my firewall. Any idea what this is, and how I stop it or if I should?

    What follows is a copy of the suspicious activity from my firewall log. After that is a copy of my hopefully clean HJT log.

    Firewall log:

    23/Sep/2003 18:47:52 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:52 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:52 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:55 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:55 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:55 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:55 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:58 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:58 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:58 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:47:58 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->239.255.255.250:1900; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:48:01 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->localhost [127.0.0.1:1034]; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:48:01 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1034->localhost [127.0.0.1:1034]; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:48:01 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->localhost [127.0.0.1:1035]; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
    23/Sep/2003 18:48:01 Generic Host Process for Win32 Services blocked; Out UDP; localhost:1035->localhost [127.0.0.1:1035]; Owner: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

    Hijack This log:

    Logfile of HijackThis v1.96.4
    Scan saved at 7:43:53 PM, on 9/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Atomic Clock Sync\Atomic.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\WINDOWS\system32\cba\pds.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\cba\xfr.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\TextPad 4\TextPad.exe
    C:\Program Files\Kerio\Personal Firewall\PFWADMIN.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\mmc.exe
    C:\Program Files\HijackThis\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\g73t1q6r.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\g73t1q6r.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
    O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
    O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
    O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.1597685185
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks again for all your help.

    Rick
     
  7. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Have a read of M$KB 317843 to solve the Port 1900 problem which is likely to be the result of a Plug and Play device being found on your network
     
  8. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Go to http://grc.com/unpnp/unpnp.htm and read Steve Gibson's article on Unplug n' Pray. Then d/l his excellent tool for disabeling plug n' play

    Plug n' play is just one more on a long list or Microsoft security holes.

    Who needs hackers, when we've got Microsoft??

    Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyberterrorists.

    But only while it is still in the shrink wrap!!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Spyware attached
  1. TeeTee7
    Replies:
    1
    Views:
    680
  2. HollyG
    Replies:
    14
    Views:
    1,188
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166793

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice