Options
I Need Help: Pesky "TIB" Malware - What Else Can I Do?
Hello,
im new to the forum but was pointed in this direction from a friend of mine because i have a problem....
as of friday i have been dealing with a stubborn form of malware....
from all indications my brother mistakenly downloaded it from Kazaa that evening.....
it is associated under the filenames of:
TIB Browser, TIBS 41, TIBS 42 (both phony dialup connections), 123799.exe, and Website Viewer
so i set out to take care of it....
this malware trojan attempts to hijack my dialup with a dialup of its own (im lucky it hasnt come back yet so i can type this)
first i do a scan with Norton and it doesnt even pick it up saying that the system is fine.....
ok....
so next i use the GiPo Utilities "move on boot" to remove it....it worked when this happened before so i figure it would be an easy remedy (this has happened one other time with an email my brother received)....it worked then....but after a few times now, no such luck
then i run the Adaware 6.0 program that i have....i have been using Adaware for a long time and it is up and running (updated) and i do a system scan....
it finds the problem.....
removes it.....
everything is fine.....right?
no.....i sign back online and its back! this process goes on 4 more times......
running a scan....having it show up....and now taking care of it....but it keeps coming back.....
i attempt to do a total quarantine to keep it out of any other files but it only will remove them......
now im getting ticked...i put to use Spyware Blaster as a second line of defense to combat the problem against future occurances thinking it might take care of it but i dont know what else i can do?
i deleted the phony dialup connections and even tried to use the "system restore" method but to no avail....
so now im at a loss....
if anyone has any ideas on how to neutralize this thing.....please let me know.....im all ears
anyone know exactly what im dealing with?
thanks,
TF
im new to the forum but was pointed in this direction from a friend of mine because i have a problem....
as of friday i have been dealing with a stubborn form of malware....
from all indications my brother mistakenly downloaded it from Kazaa that evening.....
it is associated under the filenames of:
TIB Browser, TIBS 41, TIBS 42 (both phony dialup connections), 123799.exe, and Website Viewer
so i set out to take care of it....
this malware trojan attempts to hijack my dialup with a dialup of its own (im lucky it hasnt come back yet so i can type this)
first i do a scan with Norton and it doesnt even pick it up saying that the system is fine.....
ok....
so next i use the GiPo Utilities "move on boot" to remove it....it worked when this happened before so i figure it would be an easy remedy (this has happened one other time with an email my brother received)....it worked then....but after a few times now, no such luck
then i run the Adaware 6.0 program that i have....i have been using Adaware for a long time and it is up and running (updated) and i do a system scan....
it finds the problem.....
removes it.....
everything is fine.....right?
no.....i sign back online and its back! this process goes on 4 more times......
running a scan....having it show up....and now taking care of it....but it keeps coming back.....
i attempt to do a total quarantine to keep it out of any other files but it only will remove them......
now im getting ticked...i put to use Spyware Blaster as a second line of defense to combat the problem against future occurances thinking it might take care of it but i dont know what else i can do?
i deleted the phony dialup connections and even tried to use the "system restore" method but to no avail....
so now im at a loss....
if anyone has any ideas on how to neutralize this thing.....please let me know.....im all ears
anyone know exactly what im dealing with?
thanks,
TF
0
Comments
hope this helps....
TF
//edited by admin for clarity
Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Tuesday, June 15, 2004 8:52:58 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R318 13.06.2004
______________________________________________________
Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
6-15-2004 8:52:58 PM - Scan started. (Smart mode)
Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4228845399
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:01:16 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294920695
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:01:59 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294953847
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 9/3/2003 6:02:28 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:4 [ptudfapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294966803
Threads : 2
Priority : Normal
FileSize : 232 KB
FileVersion : 1, 3, 0, 149
ProductVersion : 1, 3, 0, 0
Copyright : Copyright
CompanyName : Prassi Software USA, Inc.
FileDescription : abCD Interface application
InternalName : abCD
OriginalFilename : PtUDFapp.exe
ProductName : abCD
Created on : 10/31/2000 6:32:13 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 2/15/2000 5:40:00 AM
#:5 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294960739
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:01:59 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:6 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 4294852335
Threads : 10
Priority : Realtime
FileSize : 48 KB
FileVersion : 1.21
ProductVersion : 0.28
Copyright : Copyright (C) 3Com corporation. 1999
CompanyName : 3Com Corporation
FileDescription : 3Com driver interface
InternalName : 3cmlink.exe
OriginalFilename : 3cmlink.exe
ProductName : 3Com modem
Created on : 3/30/2002 1:05:32 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 9/6/2000 11:28:46 PM
#:7 [3cshtdwn.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 4294858163
Threads : 2
Priority : Normal
FileSize : 68 KB
FileVersion : 1.21
ProductVersion : 0.28
Copyright : Copyright (C) 3Com corporation. 1999
CompanyName : 3Com Corporation
FileDescription : 3Com shutdown helper
InternalName : 3cshtdwn.exe
OriginalFilename : 3cshtdwn.exe
ProductName : 3Com modem
Created on : 3/30/2002 1:05:32 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 9/7/2000 12:56:54 AM
#:8 [3cmlink.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 4294876591
Threads : 1
Priority : Normal
FileSize : 48 KB
FileVersion : 1.21
ProductVersion : 0.28
Copyright : Copyright (C) 3Com corporation. 1999
CompanyName : 3Com Corporation
FileDescription : 3Com driver interface
InternalName : 3cmlink.exe
OriginalFilename : 3cmlink.exe
ProductName : 3Com modem
Created on : 3/30/2002 1:05:32 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 9/6/2000 11:28:46 PM
#:9 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294875043
Threads : 3
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 9/3/2003 6:01:59 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:10 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294881683
Threads : 4
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:03:44 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 12/14/2001 12:38:12 AM
#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294889603
Threads : 25
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 9/3/2003 5:59:26 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:12 [ccevtmgr.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294931291
Threads : 18
Priority : Normal
FileSize : 309 KB
FileVersion : 1.03.4
ProductVersion : 1.03.4
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
OriginalFilename : ccEvtMgr.exe
ProductName : Event Manager
Created on : 7/17/2003 6:40:56 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 7/17/2003 6:16:38 PM
#:13 [mstaskm.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294781475
Threads : 1
Priority : Normal
FileSize : 5 KB
Created on : 4/22/2004 6:51:03 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 4/22/2004 6:48:32 PM
#:14 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294128291
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:03 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:15 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294125667
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:03 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:16 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294141959
Threads : 3
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:05 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:17 [ccapp.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\
ProcessID : 4294151595
Threads : 17
Priority : Normal
FileSize : 53 KB
FileVersion : 1.0.10.006
ProductVersion : 1.0.10.006
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Common Client CC App
InternalName : ccApp
OriginalFilename : ccApp.exe
ProductName : Common Client
Created on : 1/28/2004 8:39:34 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 12/2/2003 11:11:04 PM
#:18 [loadqm.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294052243
Threads : 3
Priority : Normal
FileSize : 7 KB
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
OriginalFilename : LOADQM.EXE
ProductName : QMgr Loader
Created on : 9/17/2003 4:33:23 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 5/4/2000 12:23:10 AM
#:19 [winampa.exe]
FilePath : C:\PROGRAM FILES\WINAMP3\
ProcessID : 4294067819
Threads : 1
Priority : Normal
FileSize : 12 KB
Created on : 7/23/2002 3:58:06 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 7/23/2002 3:58:06 PM
#:20 [wintime.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 4294166499
Threads : 1
Priority : Normal
FileSize : 5 KB
Created on : 6/12/2004 11:24:19 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/12/2004 11:24:46 AM
#:21 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294100699
Threads : 2
Priority : Normal
FileSize : 44 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:02 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:22 [wkcalrem.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4293995263
Threads : 2
Priority : Normal
FileSize : 24 KB
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkCalRem
OriginalFilename : WKCALREM.EXE
ProductName : Microsoft
Created on : 8/1/2000 7:00:00 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 8/1/2000 7:00:00 PM
#:23 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294015103
Threads : 5
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 9/17/2003 7:05:34 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 12/12/2002 7:14:32 AM
#:24 [msnmsgr.exe]
FilePath : C:\PROGRAM FILES\MSN MESSENGER\
ProcessID : 4294426719
Threads : 8
Priority : Normal
FileSize : 4572 KB
FileVersion : 6.1.0211
ProductVersion : Version 6.1
Copyright : Copyright (c) Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : Messenger
Created on : 3/4/2004 10:01:00 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 3/4/2004 10:01:00 PM
#:25 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294213623
Threads : 3
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 9/3/2003 6:02:05 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:26 [msn6.exe]
FilePath : C:\PROGRAM FILES\MSN\MSNCOREFILES\
ProcessID : 4294753875
Threads : 32
Priority : Normal
FileSize : 79 KB
FileVersion : 8.50.0017.1202
ProductVersion : 8.50.0017.1202
Copyright : Copyright (C) Microsoft Corp. 1981-2003
CompanyName : Microsoft Corporation
FileDescription : msn
InternalName : msn
OriginalFilename : msn.exe
ProductName : Microsoft(R) MSN (R) Communications System
Created on : 5/14/2003 12:56:14 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 5/14/2003 12:56:14 AM
#:27 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294284359
Threads : 4
Priority : Normal
FileSize : 82 KB
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 9/3/2003 5:59:30 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:28 [rnaapp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294333019
Threads : 3
Priority : Normal
FileSize : 56 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1996
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
OriginalFilename : RNAAPP.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:01 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:29 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294016943
Threads : 6
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 9/3/2003 6:02:03 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/9/2000
#:30 [dial32.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294392967
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 2
ProductVersion : 1, 0, 0, 2
Copyright : Copyright (C) 2004
FileDescription : BSD
InternalName : BSD
OriginalFilename : BSD.EXE
ProductName : BSD
Created on : 6/12/2004 11:21:23 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/12/2004 11:23:20 AM
#:31 [123799.dlr]
FilePath : C:\PROGRAM FILES\WEBSITEVIEWER\
ProcessID : 4294380891
Threads : 6
Priority : Normal
FileSize : 78 KB
Created on : 5/30/2004 1:19:19 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/16/2004 3:50:30 AM
Warning! TIB Browser object found in memory(123799.dlr)
TIB Browser Object recognized!
Type : Process
Data : 123799.dlr
Object : C:\PROGRAM FILES\WEBSITEVIEWER\
FileSize : 78 KB
Created on : 5/30/2004 1:19:19 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/16/2004 3:50:30 AM
"123799.dlr"Process terminated successfully.
#:32 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4228548591
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 9/6/2003 6:08:36 PM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 7/13/2003 5:00:20 AM
Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1
Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
TIB Browser Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\WebSiteViewer
Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 2
Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"
Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank
Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"
Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 5
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
TIB Browser Object recognized!
Type : Folder
Object : c:\program files\WebSiteViewer
TIB Browser Object recognized!
Type : File
Data : sexxx.lnk
Object : c:\windows\desktop\
Created on : 6/16/2004 3:50:50 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/16/2004 3:50:52 AM
TIB Browser Object recognized!
Type : File
Data : sexxx.lnk
Object : c:\windows\start menu\
Created on : 6/16/2004 3:50:50 AM
Last accessed : 6/15/2004 7:00:00 AM
Last modified : 6/16/2004 3:50:52 AM
Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 3
Objects found so far: 8
9:07:47 PM Scan complete
Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:14:48:970
Objects scanned :41954
Objects identified :8
Objects ignored :0
New objects :8
Dexter...
i will do that and get back to you shortly
man this is just getting better and better......
are there any other places to download HJT from?
WHat do you mean it won't save to your computer? Does the link not work, or is your SAVE button greyed out onthe download window?
Dexter...
that link works.....when the downloading has finished i will get back to you with the info.....probably a little later tonight.....i need to get some sleep before i go back to work for my split shift.....
thanks again,
TF
any help would be greatly appreciated....
thanks,
TF
Logfile of HijackThis v1.97.7
Scan saved at 5:25:36 PM, on 6/16/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM32\3CMLINK.EXE
C:\WINDOWS\SYSTEM32\3CSHTDWN.EXE
C:\WINDOWS\SYSTEM32\3CMLINK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASKM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYKILLER\SPYKILLER.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\mstaskm.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe"
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SVC Socks] C:\WINDOWS\SYSTEM\mstaskm.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunServices: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\RunServices: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [OleAut32.dll] regsvr32.exe /s C:\WINDOWS\SYSTEM\OleAut32.dll
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D857684F-34BA-4DFA-A466-24AEC1573B18} - http://www.sexy-models.net/sbox.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37881.5019328704
O16 - DPF: {9D618D42-13AC-4738-A5A4-FCA98D971DCA} (VIPCheckObj3 Class) - http://clubs.lycos.com/live/AUTH/LoginRequired/vipchck3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330994.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.235/buka.chm::/x.exe
Delete the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mo...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mo...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\mstaskm.exe
O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\RunServices: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O16 - DPF: {D857684F-34BA-4DFA-A466-24AEC1573B18} - http://www.sexy-models.net/sbox.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330994.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\MAIN.MHT!http://213.159.117.235/buka.chm::/x.exe
You may also want to get rid of the following to free up some resources. None of these are necessary:
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe"
O4 - HKCU\..\Run: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
This is a start. You still have some items that I am suspicious of, but let's start here and see where we get.
problem is still here.....but system looks ok.....
whats next? here is a new log.....
its a dialer....but i cant seem to find anything in there that could be it?
Logfile of HijackThis v1.97.7
Scan saved at 6:20:59 PM, on 6/16/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM32\3CMLINK.EXE
C:\WINDOWS\SYSTEM32\3CSHTDWN.EXE
C:\WINDOWS\SYSTEM32\3CMLINK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASKM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINAMP3\STUDIO.EXE
C:\PROGRAM FILES\WEBSITEVIEWER\123799.DLR
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP3\\winampa.exe"
O4 - HKLM\..\RunServices: [3c1807pd] C:\WINDOWS\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SVC Socks] C:\WINDOWS\SYSTEM\mstaskm.exe
O4 - HKCU\..\Run: [IM] C:\PROGRAM FILES\EARTHLINKIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKLM\..\RunOnce: [OleAut32.dll] regsvr32.exe /s C:\WINDOWS\SYSTEM\OleAut32.dll
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone: *.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37881.5019328704
O16 - DPF: {9D618D42-13AC-4738-A5A4-FCA98D971DCA} (VIPCheckObj3 Class) - http://clubs.lycos.com/live/AUTH/LoginRequired/vipchck3.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
but this running process (C:\PROGRAM FILES\WEBSITEVIEWER\123799.DLR) is the one i need to remove or make sure it doesnt return....
i have EXACTLY the same problem as you. although i am running XP.
the malware is detected by Spybot S&D, Ad-aware and they all say they have removed it. i got it from the internet automatically, i was looking into some not so good sites and it automatically installed itself and just won't go.
i followed your discussion with other members and want to ask finally how did you get rid of it ?