# Startium and other issues. Log File included



## SkyHighComic (Nov 7, 2003)

I thank you in advance for this. I have tried a few things to remove this, but have come up with nothing. I have found tghe other threads with info on this, but I am leary to use the information since each system is unique and I do not want to damage my system. I ahve the startium bar, and random popups hapening on this computer. I am using AGP Pro anti-virus, and Zona Allarm pro Firewall. I also run AdAware to clean things from time to time. None of these programs seems to be finding and removing my problems :/

Logfile of HijackThis v1.97.3
Scan saved at 9:58:09 AM, on 11/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\WINDOWS\System32\syscpy.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\emsw.exe
C:\WINDOWS\System32\wjview.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
C:\Program Files\DiGiCam\Digicam30.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\UquPz.exe
C:\WINDOWS\System32\Kio55wM4.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\DiGiCam\BcastTcp.exe
C:\Program Files\DiGiCam\DMMailServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skyhighcomics.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {30919D3E-9F71-4442-8DE4-63661247E046} - C:\WINDOWS\System32\gdpvoice.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: (no name) - {CA505034-6940-45F1-BA13-BC9DED6AB7ED} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [Syscpy] C:\WINDOWS\System32\syscpy.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [5QY58GP2ZDK8HF] C:\WINDOWS\System32\UwdTwS.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Pcar] C:\Documents and Settings\Adam\Application Data\sueb.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Adam\HXIUL.EXE -uninstall
O4 - Startup: DiGiCam.lnk = C:\Program Files\DiGiCam\Digicam30.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Random Desktop.lnk = C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.keenspot.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0964c8cc52eb03a4af02/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37637.4065277778
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/jinnyhot3452/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Thanks


----------



## cybertech (Apr 16, 2002)

Please go to Control Panel, Add/Remove software and remove new.net. Then post another log.


----------



## SkyHighComic (Nov 7, 2003)

> _Originally posted by cybertech:_
> *Please go to Control Panel, Add/Remove software and remove new.net. Then post another log. *


Unfortunately it is not in the add/remove programs list :/

Here is the log file anyway.

Logfile of HijackThis v1.97.3
Scan saved at 11:12:49 AM, on 11/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\WINDOWS\System32\syscpy.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\emsw.exe
C:\WINDOWS\System32\wjview.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\System32\winservn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
C:\Program Files\DiGiCam\Digicam30.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\UquPz.exe
C:\WINDOWS\System32\Kio55wM4.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\DiGiCam\BcastTcp.exe
C:\Program Files\DiGiCam\DMMailServer.exe
C:\Program Files\Intuit\QBPOS\QBPos.exe
C:\Program Files\Intuit\QBPOS\RPRO\EFT\EftSvr.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skyhighcomics.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {30919D3E-9F71-4442-8DE4-63661247E046} - C:\WINDOWS\System32\gdpvoice.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: (no name) - {CA505034-6940-45F1-BA13-BC9DED6AB7ED} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [Syscpy] C:\WINDOWS\System32\syscpy.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [5QY58GP2ZDK8HF] C:\WINDOWS\System32\UwdTwS.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Pcar] C:\Documents and Settings\Adam\Application Data\sueb.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Adam\HXIUL.EXE -uninstall
O4 - Startup: DiGiCam.lnk = C:\Program Files\DiGiCam\Digicam30.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Random Desktop.lnk = C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.keenspot.org
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0964c8cc52eb03a4af02/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37637.4065277778
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/jinnyhot3452/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## cybertech (Apr 16, 2002)

That's ok, we'll work through it.

While I'm looking at your log... Do you know what these programs are?
C:\WINDOWS\System32\UquPz.exe
C:\WINDOWS\System32\Kio55wM4.exe
C:\WINDOWS\System32\BRMFRSMG.EXE

If not can you do a search for them and tell me what is in the properties of each.


----------



## dvk01 (Dec 14, 2002)

for a start you have peper trojan

I am asking for this to be moved to security where I will p,m firman1 to take a look. he is our resident peper expert and has the best success rate at fixing it


----------



## cybertech (Apr 16, 2002)

Thanks Derek!


----------



## dvk01 (Dec 14, 2002)

as to the rest 
first follow advice here to remove newdotnet

www.newdotnet.com

then we will work through your log and suggest a fix, while we wait for firman


----------



## dvk01 (Dec 14, 2002)

run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://i-lookup.com/search.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
O2 - BHO: (no name) - {30919D3E-9F71-4442-8DE4-63661247E046} - C:\WINDOWS\System32\gdpvoice.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)

O3 - Toolbar: (no name) - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - (no file)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
O3 - Toolbar: (no name) - {CA505034-6940-45F1-BA13-BC9DED6AB7ED} - (no file)

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Syscpy] C:\WINDOWS\System32\syscpy.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Pcar] C:\Documents and Settings\Adam\Application Data\sueb.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Adam\HXIUL.EXE -uninstall

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.keenspot.org

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/0964c8cc52eb03...tzip/RdxIE2.cab

O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} (DialXSCtl Object) - http://www.x0.nl/install2/dialxs.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://www.geocities.com/jinnyhot3452/loader.cab

reboot & delete these files 
C:\WINDOWS\System32\stlbdist.DLL
C:\WINDOWS\System32\gdpvoice.dll
C:\WINDOWS\System32\syscpy.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\emsw.exe
C:\Documents and Settings\Adam\Application Data\sueb.exe
C:\WINDOWS\System32\winservn.exe
and these folders
C:\Program Files\ClearSearch
C:\Program Files\Power Scan
C:\Program Files\Media\
C:\Program Files\couponsandoffers
C:\Program Files\ISTsvc
C:\Program Files\Alset
reboot 
Run an online antivirus check from at least one and preferably 2 of the following sites 
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

reboot again and download the following programs if you haven't already got them
*Download Spybot - Search & Destroy from http://security.kolla.de*

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot & 
*download AdAware 6  
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".*
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it.

then post a new hijackthis log to check what is left


----------



## ~Candy~ (Jan 27, 2001)

> _Originally posted by dvk01:_
> *as to the rest
> first follow advice here to remove newdotnet
> 
> ...


Who's firman and have I met him


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by AcaCandy:_
> *Who's firman and have I met him
> 
> *


http://forums.techguy.org/member.php?action=getinfo&find=lastposter&threadid=176907


----------



## SkyHighComic (Nov 7, 2003)

> reboot & delete these files
> ...
> C:\Program Files\ISTsvc
> ...


This folder would not delete at the step mentioned above. I did remove the newdotnet from the computer before the other steps.

working on the web based anit-virus now 

Luckilly my firewall seems to heve been catching the trojans.

How much harm should I do to my Business partner that got all of this on this computer?


----------



## dvk01 (Dec 14, 2002)

after all the antivirus scans and spybot/adaware have run and done their thing post a new log and we'll see if istsvc is still there and then remove it


----------



## dvk01 (Dec 14, 2002)

> _Originally posted by SkyHighComic:_
> 
> How much harm should I do to my Business partner that got all of this on this computer? [/B]


That's something you should ask ACAcandy, our administrator, she had a similar problem with her computer when she went away, 

he/she definitely deserves a :down: at the very least


----------



## ~Candy~ (Jan 27, 2001)

Let's just say I wouldn't start with the fingers  

Derek, I know who flrman is, I was wondering who firman was  Lol, right over your head


----------



## Flrman1 (Jul 26, 2002)

firman has arrived! 

SkyHighComic Just let me know when you're ready to deal with peper.


----------



## SkyHighComic (Nov 7, 2003)

I have followed directions and I am down to this:

Logfile of HijackThis v1.97.3
Scan saved at 3:17:35 PM, on 11/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
C:\Program Files\DiGiCam\Digicam30.exe
C:\Program Files\DiGiCam\BcastTcp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\KubCM67i.exe
C:\Program Files\DiGiCam\DMMailServer.exe
C:\WINDOWS\System32\Vfp801.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skyhighcomics.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - HKLM\..\Run: [5QY58GP2ZDK8HF] C:\WINDOWS\System32\QjlqXge2.exe
O4 - Startup: DiGiCam.lnk = C:\Program Files\DiGiCam\Digicam30.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Random Desktop.lnk = C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37637.4065277778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab


----------



## SkyHighComic (Nov 7, 2003)

> _Originally posted by cybertech:_
> *That's ok, we'll work through it.
> 
> While I'm looking at your log... Do you know what these programs are?
> ...


the first 2 went away in the cleaning. there third is a printer manager (checks ink levels and such) for brother printers.

C:\WINDOWS\System32\KubCM67i.exe
C:\WINDOWS\System32\Vfp801.exe

are also unknown to me and they do not show up in the directory where they are mentioned....


----------



## Flrman1 (Jul 26, 2002)

Those are from the peper.a trojan which we are about to exterminate.


----------



## Flrman1 (Jul 26, 2002)

It looks like peper is all that's left.

First run This uninstaller:

http://home01.wxs.nl/~kleyn080/uninst.exe

Next, use the following tool to delete the files themselves:

http://www.mjc1.com/files/mo/drpeper.html
Download it, it will self extract to c:\.

Navigate to:

C:\drpeper\Find backup and Delete Peper files.vbs

Doubleclick the....... Find backup and Delete Peper files.vbs file

On the first prompt copy and paste:

Kio55wM4.exe

And hit ok.

On the second, paste:

UwdTwS.exe

And hit ok.

Sometimes you will get a VBS script error during this process. If that happens invert the order of the files ie....

Copy and paste this one first:

UwdTwS.exe

and this one second:

Kio55wM4.exe ..... in the event of the VBS script error.

It will find all the peper files and delete them. Also it makes backups in the same folder.
It will open a text file (Peper.txt) with a list of all files deleted.

When finished, post the list from the Peper.txt file here , along with another Hijack This log.

*Note:On rare occassions I have seen this take several tries to determine the parent files.


----------



## SkyHighComic (Nov 7, 2003)

*pepper.txt* 
11/7/2003 3:43:26 PM
C:\WINDOWS\system32\BxjFx8f.exe
C:\WINDOWS\system32\Kio55wM4.exe
C:\WINDOWS\system32\KubCM67i.exe
C:\WINDOWS\system32\UquPz.exe
C:\WINDOWS\system32\Vax65.exe
C:\WINDOWS\system32\Vfp801.exe
11/7/2003 3:43:35 PM
C:\WINDOWS\system32\QjlqXge2.exe
C:\WINDOWS\system32\Qxcn74j.exe
C:\WINDOWS\system32\UwdTwS.exe

*HijackThis* 
Logfile of HijackThis v1.97.3
Scan saved at 3:45:10 PM, on 11/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
C:\Program Files\DiGiCam\Digicam30.exe
C:\Program Files\DiGiCam\BcastTcp.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\DiGiCam\DMMailServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Intuit\QBPOS\QBPos.exe
C:\Program Files\Intuit\QBPOS\RPRO\EFT\EftSvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Adam\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skyhighcomics.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zapro.exe
O4 - Startup: DiGiCam.lnk = C:\Program Files\DiGiCam\Digicam30.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Random Desktop.lnk = C:\Program Files\Sentinelware Developments\Random Desktop\Random Desktop.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37637.4065277778
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------

Thanks so far!


----------



## Flrman1 (Jul 26, 2002)

Good job! :up:

Looks like you're good to go. 

Happy Surfing!


----------



## ~Candy~ (Jan 27, 2001)

Nice job fireman


----------



## Flrman1 (Jul 26, 2002)

BTW go ahead and delete the c:\drpeper folder.


----------



## cybertech (Apr 16, 2002)

I did not know that flrman1 was the resident DR for this virus, nor did I know the facts of the peper virus.

I have been edg_u_ma_cated thanks to dvk01's advice to read, (actually re-read for the 3rd time) a post from the Security Forum. And it really took 3 times for me to GET IT  

Now I know what peper is and will be aware of it.

I'm so happy that SkyHighComic got his device fixed.

And I was LOL at AcaCandy's remark "Who's firman and have I met him" But didn't have the heart to say a word after my own blunder....

  


:up:


----------



## SkyHighComic (Nov 7, 2003)

Thank you tons for all the help. Gonna try and tie down my Business partner (a him)


----------



## ~Candy~ (Jan 27, 2001)

Is he good looking   I might be able to help


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by flrman1:_
> *BTW go ahead and delete the c:\drpeper folder. *


You're Welcome!

I just wanted to make sure you didn't miis my post. You should delete the C:\drpeper folder now.


----------



## SkyHighComic (Nov 7, 2003)

And thanks for the DrPepper reminder


----------

