Post by: dk21mm on April 09, 2005, 07:28:53 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:22:58 PM, on 09/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\X1002142005.EXE
C:\PROGRAM FILES\BPT\BPT.EXE
C:\PROGRAM FILES\BPC_SEARCH\BPCV2.EXE
C:\WINDOWS\MCM\MCM.EXE
C:\PROGRAM FILES\SUBLIMINAL POWER\SUBLIMINALPOWER.EXE
C:\WINDOWS\SYSTEM\FXREDIR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ (http://\"http://ca.msn.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/ (http://\"http://www.white-pages.ws/\")
R3 - Default URLSearchHook is missing
O2 - BHO: Xbrowse Class - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X2FF\X2FF0.DLL
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - C:\PROGRAM FILES\FLEN\FLEN.DLL
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSSD0B3.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\APPLICATION DATA\SYSUPD.EXE
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPANTI] C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\SYSTEM\X1002142005.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
O4 - HKLM\..\Run: [BPCV2] C:\PROGRAM FILES\BPC_SEARCH\BPCV2.EXE
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [mcm] C:\WINDOWS\mcm\mcm.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: AOL Instant Messenger (tm) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (http://\"http://www.dellnet.com\") (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll\")
O16 - DPF: {FE2BC90F-3FCE-49AD-A2E4-FA5D48BECD80} (SSCCtl Class) - http://www.sightsound.com/Components/SSCDLL.CAB (http://\"http://www.sightsound.com/Components/SSCDLL.CAB\")
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab (http://\"http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab (http://\"http://www.virtualvegas.com/cab/WONWebLauncherControl.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab (http://\"http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab (http://\"http://www.streamaudio.com/download/ccpm_0237.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm2_inst.cab (http://\"http://dm.cometsystems.com/dm/dm2_inst.cab\")
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://cdn.riversoftware.net/x0ff.cab (http://\"http://cdn.riversoftware.net/x0ff.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
Any help is much appreciated. Thanks
Post by: guestolo on April 10, 2005, 01:49:32 PM
==Download and save to desktop CWShredder.exe from my signature below
Don't run it yet
==Download and UNZIP to your desktop begin.zip
[attachment=129:attachment]
So you now have begin.reg on your desktop
We'll need this later
==Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
You may want to print the rest of this out or save the instructions too a notepad file so you can refer to them
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Access your Add/Remove programs and uninstall if found
RVP
VisualElementFX
Stay in safe mode
Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\NSSD0B3.DLL <-file
C:\Program Files\Common Files\Java\bptre.exe
C:\Program Files\Common Files\Java\flencpy.exe
C:\WINDOWS\APPLICATION DATA\SYSUPD.EXE
C:\WINDOWS\SYSTEM\X1002142005.EXE
C:\Program Files\Bpt <-folder
C:\PROGRAM FILES\BPC_SEARCH <-folder
C:\PROGRAM FILES\FLEN <-folder
C:\WINDOWS\VisualElementFXad <-folder
C:\WINDOWS\ALL USERS\APPLICATION DATA\X2FF <-folder
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/ (http://\"http://www.white-pages.ws/\")
R3 - Default URLSearchHook is missing
O2 - BHO: Xbrowse Class - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - C:\WINDOWS\ALL USERS\APPLICATION DATA\X2FF\X2FF0.DLL
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - C:\PROGRAM FILES\FLEN\FLEN.DLL
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\NSSD0B3.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\APPLICATION DATA\SYSUPD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\SYSTEM\X1002142005.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
O4 - HKLM\..\Run: [BPCV2] C:\PROGRAM FILES\BPC_SEARCH\BPCV2.EXE
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [mcm] C:\WINDOWS\mcm\mcm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab (http://\"http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab\")
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm2_inst.cab (http://\"http://dm.cometsystems.com/dm/dm2_inst.cab\")
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://cdn.riversoftware.net/x0ff.cab (http://\"http://cdn.riversoftware.net/x0ff.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Windows CleanUp!>>START>>Programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't Restart your computer yet
Instead
Run CWShredder.exe and click the FIX button, let it fix what it finds
Restart your computer back to normal mode
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Post back a fresh hijackthis log afterwards
Could you also
Go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\MCM\MCM.EXE<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Post by: dk21mm on April 10, 2005, 04:22:25 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:11:51 PM, on 10/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SUBLIMINAL POWER\SUBLIMINALPOWER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\FXREDIR.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ (http://\"http://ca.msn.com/\")
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPANTI] C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (http://\"http://www.dellnet.com\") (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll\")
O16 - DPF: {FE2BC90F-3FCE-49AD-A2E4-FA5D48BECD80} (SSCCtl Class) - http://www.sightsound.com/Components/SSCDLL.CAB (http://\"http://www.sightsound.com/Components/SSCDLL.CAB\")
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab (http://\"http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab (http://\"http://www.virtualvegas.com/cab/WONWebLauncherControl.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab (http://\"http://www.streamaudio.com/download/ccpm_0237.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
These are the scanner results:
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
mks_vir
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found nothing
Post by: guestolo on April 10, 2005, 04:56:14 PM
Can you navigate too
C:\WINDOWS\mcm\mcm.exe
Right click on mcm.exe and left click properties
Version tab, let me know what it's related too if you can find info on it
Was it recently created?
You don't have Motorcycle Madness installed do you?
Next
Could you please only use Hijackthis from this location
C:\HJT\HIJACKTHIS.EXE
Do another scan with Hijackthis and put a check next to these entries:
R3 - Default URLSearchHook is missing
Do you know what the next one is related too??
If not fix it too, does it need to be on startup??
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Let me know what Subliminal Power is related too
Also the info about mcm.exe
Could you also let me know if there are other files in the mcm folder
Could you also run this file through that Online Malware scanner at Jotti's
C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE <-this file
Post by: dk21mm on April 11, 2005, 02:47:07 PM
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> I know that I haven't installed Motorcyle Madness.Subliminal Power was a program I installed a year or so ago.
This was the response after checking C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE at Jotti:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
Post by: guestolo on April 11, 2005, 04:24:11 PM
what it is
C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE <-this file
Can you navigate to it and right click on it and left click properties
Was it recently created, whats the file size?
Is there a version tab, do you know what it's related too?
Post by: dk21mm on April 11, 2005, 10:34:05 PM
Post by: guestolo on April 11, 2005, 10:40:27 PM
C:\HJT\HIJACKTHIS.EXE
Do another scan with Hijackthis and put a check next to these entries:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [IPANTI] C:\WINDOWS\MICROSOFT.NET\IPANTI.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer and post back a fresh hijackthis log and let me know how everythings running
Post by: dk21mm on April 12, 2005, 02:38:31 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:34:29 PM, on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\MCM\MCM.EXE
C:\PROGRAM FILES\SUBLIMINAL POWER\SUBLIMINALPOWER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\FXREDIR.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ (http://\"http://ca.msn.com/\")
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [mcm] C:\WINDOWS\mcm\mcm.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (http://\"http://www.dellnet.com\") (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll\")
O16 - DPF: {FE2BC90F-3FCE-49AD-A2E4-FA5D48BECD80} (SSCCtl Class) - http://www.sightsound.com/Components/SSCDLL.CAB (http://\"http://www.sightsound.com/Components/SSCDLL.CAB\")
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab (http://\"http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab (http://\"http://www.virtualvegas.com/cab/WONWebLauncherControl.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab (http://\"http://www.streamaudio.com/download/ccpm_0237.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
Post by: guestolo on April 12, 2005, 02:43:24 PM
C:\WINDOWS\MCM\MCM.EXE
It's in your running processes
Set windows to show hidden files and folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
* Click Start, Programs and Accessories and open Windows Explorer.
* Select a hard drive from the left hand side of the Windows Explorer window.
* Select View the Entire contents of this drive.
Now try navigating to MCM.exe
Right click on it and left click properties
Let me know what you can find out about it
Date created as example
If there's a version tab, see what it's related too
Post by: dk21mm on April 12, 2005, 02:45:25 PM
Post by: guestolo on April 12, 2005, 02:49:24 PM
Is this a script that you voluntarily entered?
Did you check out that link too, I've never seen the program before
Make sure to check out this link too
http://www.autoitscript.com/autoit3/ (http://\"http://www.autoitscript.com/autoit3/\")
Did you install this prog...?
Post by: dk21mm on April 12, 2005, 03:11:46 PM
If I click on the location in the search results box I get these as being in the mcm folder:
cache, dats, logs - file folders.
au3, mcm - applications.
mcm - configuration settings
This is part of the blurb from the autoit site:
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on 95, 98, ME, NT4, 2000, XP, 2003 out of the box with no annoying "runtimes" required! You can even make compiled executable scripts that can run without AutoIt being installed!
I did not knowingly instal it.
Post by: guestolo on April 12, 2005, 03:15:11 PM
I'm not sure
Can you open Hijackthis>>Open Misc Tools section>>Open Uninstall manager
Click the "Save List" button
Save the list to desktop and then copy and paste it back here, thanks
Post by: dk21mm on April 12, 2005, 03:21:42 PM
Adaptec DirectCD
Adaptec Easy CD Creator 4
Ad-Aware SE Personal
Adobe Acrobat 4.0
American McGee's Alice(tm)
ATI Display Driver
AVG Free Edition
Canon Creative Launcher
Canon MultiPASS ODBC Interface
Canon MultiPASS Suite 3.10
Canon Photo
Canon ScanGear 4.0 for MultiPASS
Canon Web Publisher
ChromaFAX
CleanUp!
Dell Documents
Dell ResourceCD
HijackThis 1.99.1
InterActual Player
Internet Explorer Q889293
InterVideo WinDVD
JukeBox Tools
Languages of the World
Learn To Speak German 8.0
Microsoft .NET Framework 1.1
Microsoft ActiveX Control Pad
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia 2000
Microsoft Expedia Streets & Trips 2000
Microsoft Home Publishing 2000
Microsoft IntelliType Pro
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2000 Standard
Microsoft Outlook Express 6
Microsoft Picture It! Express 2000
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2000
Microsoft Works 2000
Microsoft Works 2000 Setup Launcher
Modem Test
MouseWare 9.01
Mozilla Firefox (1.0)
Mozilla Firefox (1.0.1)
Mozilla Firefox (1.0.2)
MSN Messenger 5.0
OfficeReady CC
Outlook Express Q823353
PCFriendly
PhoneTools
PrintMaster Classic SE 8.0
QuickTime
RealPlayer
Registry Mechanic
Shizmoo Web Games (Uproar)
Shockwave
Sound Blaster Live! Value
Spybot - Search & Destroy 1.2
Starware
Subliminal Power 1.5
TextBridge Pro 8.0
Unitype Applications
Universal Media Player
Windows Millennium Edition Q823559 Update
Word in Works Suite add-in
Yahoo! Internet Mail
Yahoo! Messenger
Post by: guestolo on April 12, 2005, 03:39:12 PM
Usually unknowingly installed
If you don't remember installing it, remove it through your Add/Remove programs
and then restart the computer
Your running an out of date version of Spybot
Can you uninstall Spybot 1.2
After removal
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/3000-8022-10122137.html\")
After installation--Click the Update button on the left
ThenSEARCH FOR UPDATES
Check and Download all updates
Afterwards, click the Search and Destroy button
Check for Problems---Let it complete it's scan
FIX everything in RED>>Should be checked by default
Restart the computer again to finish the cleaning process
Post back a fresh Hjackthis log afterwards
Let me know it MCM.exe is still around
Post by: dk21mm on April 13, 2005, 11:01:58 PM
Logfile of HijackThis v1.99.1
Scan saved at 9:54:06 PM, on 13/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MCM\MCM.EXE
C:\PROGRAM FILES\SUBLIMINAL POWER\SUBLIMINALPOWER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\FXREDIR.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ (http://\"http://ca.msn.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [mcm] C:\WINDOWS\mcm\mcm.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (http://\"http://www.dellnet.com\") (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll\")
O16 - DPF: {FE2BC90F-3FCE-49AD-A2E4-FA5D48BECD80} (SSCCtl Class) - http://www.sightsound.com/Components/SSCDLL.CAB (http://\"http://www.sightsound.com/Components/SSCDLL.CAB\")
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab (http://\"http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab (http://\"http://www.virtualvegas.com/cab/WONWebLauncherControl.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab (http://\"http://www.streamaudio.com/download/ccpm_0237.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx
mcm appears to be around still.
Post by: guestolo on April 14, 2005, 12:21:21 AM
with all other windows closed
O4 - HKLM\..\Run: [mcm] C:\WINDOWS\mcm\mcm.exe
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - http://www.virtualvegas.com/cab/WONWebLauncherControl.cab (http://\"http://www.virtualvegas.com/cab/WONWebLauncherControl.cab\")
Restart your computer
Find and send to the recycle bin for now
C:\WINDOWS\mcm <-this folder
Also look for this folder and remove if found
C:\PROGRAM FILES\Starware
and this one
C:\PROGRAM FILES\Comet System
Did you remove Starware from the list??
If not do so....
Restart the computer afterwards and let me know if it's gone
Do you have a Toolbar in Internet Explorer that is unwanted?
Post by: dk21mm on April 14, 2005, 10:39:51 PM
I could not find Comet System or Starware any place. I have taken Starware off the list.
Forgive my pneumonia-addled brain, but what do you mean by 'toolbar in internet explorer?' I do know what you mean but it's not getting through the fog.
Post by: guestolo on April 14, 2005, 10:50:18 PM
relating to StarWares?
I don't see any in your Hijackthis log, so I guess not
If everything is running better
Could you
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Could you post back one last hijackthis log afterwards, let's make sure everything is still gone
Post by: dk21mm on April 15, 2005, 12:05:44 AM
Thanks a lot for your help. It is very much appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 10:58:26 PM, on 14/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MPTBOX.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SUBLIMINAL POWER\SUBLIMINALPOWER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\FXREDIR.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.msn.com/ (http://\"http://ca.msn.com/\")
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PrintMaster Event Reminder.lnk = C:\Program Files\Canon Creative\PrintMaster\Pmremind.exe
O4 - Startup: SubliminalPower.lnk = C:\Program Files\Subliminal Power\SubliminalPower.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (http://\"http://www.dellnet.com\") (file missing) (HKCU)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab (http://\"http://download.mcafee.com/molbin/Shared/MGBrwFld.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ials/ymmapi.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi.dll\")
O16 - DPF: {FE2BC90F-3FCE-49AD-A2E4-FA5D48BECD80} (SSCCtl Class) - http://www.sightsound.com/Components/SSCDLL.CAB (http://\"http://www.sightsound.com/Components/SSCDLL.CAB\")
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/contr...loadcontrol.cab (http://\"http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab (http://\"http://fdl.msn.com/public/chat/msnchat45.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.groups.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab (http://\"http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab (http://\"http://www.streamaudio.com/download/ccpm_0237.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Email Removed Attachments Control) - http://by102fd.bay102.Email (http://\"http://by102fd.bay102.Email\") Removed.msn.com/activex/HMAtchmt.ocx