Please help with Rads01.Quagrogram

Computing.Net > Forums > Security and Virus > Please help with Rads01.Quagrogram

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Please help with Rads01.Quagrogram

Name: Skipper5045
Date: December 10, 2003 at 19:52:16 Pacific
OS: XP Home
CPU/Ram: P4 512

Comment:

Hi Gang,
Pretty much done everything to get rid of this bad boy...Ad-Aware finds it but does not remove it...comes back with each reboot, spybot...same. Tried Safe mode...system restore off etc...etc...etc. Can I trouble you guys to take a look see? Also noticed Couponsandoffers on the system as well. Nothing cleaned it as well.
Here is my hijack this log...any help will be greatly appreciated...Skipper
Logfile of HijackThis v1.97.7
Scan saved at 10:21:54 PM, on 12/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSBSR.exe
C:\WINDOWS\eeapsluf.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\mcafee.com\agent\McDash.exe
C:\PROGRA~1\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Berg's\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5B0C042F-CDF6-05A4-3394-3F468D73CB4C} - C:\WINDOWS\system32\gwifboby.dll
O2 - BHO: (no name) - {C6262D4F-9704-DCDD-ABA3-DABEA64D11CD} - C:\WINDOWS\system32\dbzhllsd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Msbsr] C:\WINDOWS\System32\MSBSR.exe
O4 - HKLM\..\Run: [jatbbxgw] C:\WINDOWS\eeapsluf.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Ypyg9f5.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Berg's\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.8096990741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{979867AB-FC2C-4FD6-8023-4E56AF7E499E}: NameServer = 151.203.0.85 151.203.0.84

Sponsored Link

Ads by Google

Response Number 1

Name: iceblue
Date: December 11, 2003 at 05:10:25 Pacific

Reply:

I be interested to know why the AdAware update doesn't nail this.
Info from the Lavasoft site:
13.10.2003 Reference Number: 01R225 13.10.2003
Internal build: 136
Updated signatures for
CoolWebSearch (2 variants)
e-Group
PowerScan
Rads01.Quagrogram

Might be a new variant; might be a re-infection problem....
Happy to have a look and see if we can pin it down....brb.

Response Number 2

Name: iceblue
Date: December 11, 2003 at 06:13:03 Pacific

Reply:

ok;
we have a small batch of stuff to remove.
Here's the overview of the process:
1. Remove the peper trojan by the method outlined below, and reboot.
2. Remove the Cool Web Search affiliate, and reboot.
3.Rescan with HijackThis and remove the remaining stuff including the Couponsand Offers
>>>next

Response Number 3

Name: iceblue
Date: December 11, 2003 at 06:30:47 Pacific

Reply:

Peper Removal:
1. Use the uninstall tool - download from: http://home01.wxs.nl/~kleyn080/uninst.exe. Double click on uninst.exe, let it run and terminate.
2. To delete all the associated files with drpeper, download from http://www.mjc1.com/files/mo/drpeper.html. Double click drpepertobackup, it will self extract to C:. With the text in the box highlighted and the 'overwrite' existing files checked, click start.
3. Go to the file C:\drpeper\Find backup and Delete Peper files.vbs and double click this file.
4. A box will appear, copy and paste: MSBSR.exe
and hit ok.
5. A second box will appear, copy and paste Ypyg9f5.exe
and hit ok.
*Note: Sometimes you will get a VBS script error during this process. If that happens, INVERT the order of the files ie....the first one second;and the second one first. in the event of the VBS script error.
6. It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted. Make sure it is saved.
Reboot.
Make sure all browsers are closed.
Then rescan with HJT, post a new HJT log and the contents of the Peper.txt file - the next stage will be to remove the rest of the bad stuff.

Response Number 4

Name: iceblue
Date: December 11, 2003 at 06:38:25 Pacific

Reply:

CWS Cool Web Search Removal Process
Download and run a new update of cwshredder.zip Open and click �Next�
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
(ensure you obtain a new version for each run; there is a recent update)
The full story on CWS:
New address: http://www.merijn.org/cwschronicles.html
Make sure that you have the latest version of CWShredder, and that you click �Next�
and don't just scan.
When the program is finished, reboot.
Rescan with HijackThis and repost the log.
You're getting close to the end.

Response Number 5

Name: Skipper5045
Date: December 11, 2003 at 08:04:02 Pacific

Reply:

Thanks ICE...
I'll try working on these little buggers tonight when I get home from work. Ice...I'm just as puzzled as you about why Ad-Aware can detect Rads01.Quagrogram but not clean it. I did a search of the Ad-Aware forum and there was some chi-chat about "selectively"
removing these files (and some systems having a problem with removal) but i've tried all their suggestions and that does not work for me. Maybe I'm doing something wrong...who knows...maybe worth another try?
There is definetely something stange going on with my two browsers (MSN and IE). When you type specific web sites into the Address Bar of the MSN Browser I get this error:
Microsoft JET Database engine error "80040e21.
When I enter a name in the IE Address bar and try to search from there I get a "page not found error" and the name gets rewritten to something like Http:///&%(then the name).
So something is obviously rewriting the entry
made in this field.
Many Thanks!! Hopefully I'll have more info tonight
Skip

microsoft jet Trojan.Adclicker please help with tar.gz	someone please help me with my computer,don't download please help me with low disc space problem on my computer Driver problem with WUSB54G version 4. Please help.
See More

Response Number 6

Name: iceblue
Date: December 11, 2003 at 12:01:27 Pacific

Reply:

you definitely have bugs doing all sorts of things....and no, you aren't doing anything wrong, but you could beef up the system security across the board.
looks like SpyBot and AdAware both got disabled; McAfee was sleeping and Zone alarm wandered off.
Probably need to put in spywareblaster & spywareguard to prevent infection getting in and disabling your programs.
then check for any updates to XP and IE from windowsupdates. and updates every program that is security related.

Response Number 7

Name: Skipper5045
Date: December 11, 2003 at 19:34:44 Pacific

Reply:

Hello Iceblue
Ok Ready to do battle...
Here is the first HT log after the peper removal...also included the peper.txt file
Logfile of HijackThis v1.97.7
Scan saved at 10:30:02 PM, on 12/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSBSR.exe
C:\WINDOWS\eeapsluf.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.exe
C:\Documents and Settings\Berg's\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5B0C042F-CDF6-05A4-3394-3F468D73CB4C} - C:\WINDOWS\system32\gwifboby.dll
O2 - BHO: (no name) - {C6262D4F-9704-DCDD-ABA3-DABEA64D11CD} - C:\WINDOWS\system32\dbzhllsd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Msbsr] C:\WINDOWS\System32\MSBSR.exe
O4 - HKLM\..\Run: [jatbbxgw] C:\WINDOWS\eeapsluf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iedll] c:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.8096990741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I'll work on the CWS removal next and repost
Skip

Response Number 8

Name: Skipper5045
Date: December 11, 2003 at 19:36:46 Pacific

Reply:

Here is the peper.txt file
12/11/2003 10:25:14 PM
12/11/2003 10:25:45 PM
C:\WINDOWS\SYSTEM32\HouEld.exe
C:\WINDOWS\SYSTEM32\Oad3.exe
C:\WINDOWS\SYSTEM32\Ypyg9f5.exe

Response Number 9

Name: Skipper5045
Date: December 11, 2003 at 19:46:42 Pacific

Reply:

OK Ice...
Her is the next HT Log after running CW Shredder
Logfile of HijackThis v1.97.7
Scan saved at 10:43:11 PM, on 12/11/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSBSR.exe
C:\WINDOWS\eeapsluf.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.exe
C:\Documents and Settings\Berg's\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5B0C042F-CDF6-05A4-3394-3F468D73CB4C} - C:\WINDOWS\system32\gwifboby.dll
O2 - BHO: (no name) - {C6262D4F-9704-DCDD-ABA3-DABEA64D11CD} - C:\WINDOWS\system32\dbzhllsd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Msbsr] C:\WINDOWS\System32\MSBSR.exe
O4 - HKLM\..\Run: [jatbbxgw] C:\WINDOWS\eeapsluf.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.8096990741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 10

Name: sxshep
Date: December 11, 2003 at 20:31:19 Pacific

Reply:

Skipper
I'm sure ice blue will be back soon, but here's my take
Close all browser windows and have HT Fix these
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_home
R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5B0C042F-CDF6-05A4-3394-3F468D73CB4C} - C:\WINDOWS\system32\gwifboby.dll
O2 - BHO: (no name) - {C6262D4F-9704-DCDD-ABA3-DABEA64D11CD} - C:\WINDOWS\system32\dbzhllsd.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [Msbsr] C:\WINDOWS\System32\MSBSR.exe
O4 - HKLM\..\Run: [jatbbxgw] C:\WINDOWS\eeapsluf.exe
These might need to be removed after reboot, stand by for iceblue, much more knowledge than I.
C:\WINDOWS\System32\MSBSR.exe
C:\WINDOWS\eeapsluf.exe ...............(sleepuaf ??? u a f*cked)
Move the letters around.
It's late
hth
shep

Response Number 11

Name: sxshep
Date: December 11, 2003 at 20:43:40 Pacific

Reply:

One other thought, If MSBSR.exe appears in your startup list you could stop the proccess from loading and see if it helps, before deleting.
Good luck Skipper,
shep

Response Number 12

Name: iceblue
Date: December 12, 2003 at 05:55:50 Pacific

Reply:

The peper txt shows the peper removal was incomplete, (although all the active components are now gone) but CWShredder did the job well. Ab, if you read this; where was that script to check for peper remnants?
Glad to have you on board, Shep, we will have to workshop this one as it's behaving differently. Might be a new variant of peper or one I don't know, but in this business, things change rapidly, that I�m sure of. Could simply be a one list file version of peper. (I�m looking into it.)
These are OK to keep.
C:\WINDOWS\BCMSMMSG.exe >>> BCM voicemodem driver.
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
but the rest can go, as per your notes��
Skipper, please have HijackThis fix these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1&bm=ho_home

R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5B0C042F-CDF6-05A4-3394-3F468D73CB4C} - C:\WINDOWS\system32\gwifboby.dll
O2 - BHO: (no name) - {C6262D4F-9704-DCDD-ABA3-DABEA64D11CD} - C:\WINDOWS\system32\dbzhllsd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll__SpybotSDDisabled (file missing)
O4 - HKLM\..\Run: [Msbsr] C:\WINDOWS\System32\MSBSR.exe
O4 - HKLM\..\Run: [jatbbxgw] C:\WINDOWS\eeapsluf.exe

(I know you will have done the system restore turnoff thing..)
Check running processes in Task Manager for MSBRS.exe and end this task.
If absent in task manager, could you download Process Explorer, from Sysinternals�.
http://www.sysinternals.com/ntw2k/utilities.shtml
Run this and �kill process� MSBRS.exe (in the process tab)
Then delete these filesC:\WINDOWS\System32\MSBSR.exe and C:\WINDOWS\eeapsluf.exe
Then reboot and run the RAV or Housecall online scans and notify any results here please.
RAV http://clk.about.com/?zi=1/XJ&sdn=antivirus&zu=http%3A%2F%2Fwww.ravantivirus.com%2Fscan%2F
House Call http://housecall.trendmicro.com/housecall/start_corp.asp
Close all browsers and reboot and rescan with HjT and repost, thanks.

Response Number 13

Name: Skipper5045
Date: December 12, 2003 at 06:55:22 Pacific

Reply:

Thanks gang...
Looks Like I made some progress here. I'll work on your other recommendations tonight when I get home from work.
Just so you know... I was able to get Ad-Aware to remove the Rads01.Quagrogram files (after umpteen freakin' tries!!!). It's a little tricky. If Ad-Aware detects the Rads01.quagrogram files, it's best that you remove (click on) all of them as a unique group (rather than including them with other items to delete). Make sure you reboot after the delete process. Seems kinda strange to me. Might be a bug in Ad-Aware???
Ice...if you have a list of the Peper remnants please forward it. I'll check my system to see if they exist.
Unfortunately I'm still having the browser problems as mentioned above. I'm hoping this latest batch of fixes will help things.
I'll keep you posted.
Many, Many, Many thanks...
Skip

Response Number 14

Name: iceblue
Date: December 12, 2003 at 13:14:25 Pacific

Reply:

Often AdAware and Spybot get disabled by malware/spyware; cleaning some out will allow AdAware/SpyBot to work again.[I luv the Shredder!]
It is a wise move to protect these vital programs with the constant presence of SpywareBlaster and SpywareGuard. These prevent bugs from ever getting onto your system and delivering the 'disable' payloads.
You may not find all the items listed if AdAware has removed some; but the browser re-directs and other problems will get sorted with the last batch of stuff.
Shep, I'll post a followup to review this case after the final HjT log comes through concerning Quadrogram.
Skip, the peper remnants script won't be needed here; all is well on that score.
Ice

Response Number 15

Name: sxshep
Date: December 12, 2003 at 14:39:27 Pacific

Reply:

Thanks ice. I'll keep an eye on it.
Am interested in the connection between realbar and Spybot being disabled. I know Real makes some pretty dodgy programs, but this is curious. Adaware has the Quadrogram signature. A new one?
Anyway..... Good luck Skipper
shep

Response Number 16

Name: iceblue
Date: December 12, 2003 at 15:13:58 Pacific

Reply:

How exactly the Real toolbar has been corrupted by the malware is unknown until the malware script is analysed, and thats way beyond me.
The correct toolbar is
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

Response Number 17

Name: Skipper5045
Date: December 12, 2003 at 17:35:38 Pacific

Reply:

Hi All...AHOY...Skipper here
Well I think we got it licked!!!
I fixed all of the items you requested. I ran Housecall and found three Trojans...
Adclicker.F C:System Volume Information\_restore{B376802-BAOA-4E5D-BF030-83E44C588624\RP1\A0000004.exe
MSCACHE.A C:System Volume Information\_restore{B376802-BAOA-4E5D-BF030-83E44C588624\RP1\A0000005.exe
MSCACHE.A C:\WINDOWS\DOWNLOAD PROGRAM FILES\anmqsrh0.dll
Here is the latest HT log...
Logfile of HijackThis v1.97.7
Scan saved at 8:33:26 PM, on 12/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Berg's\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: Control Pad (HKLM)
O9 - Extra 'Tools' menuitem: Control Pad (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned40.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.8096990741
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,15/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{979867AB-FC2C-4FD6-8023-4E56AF7E499E}: NameServer = 151.203.0.85 151.203.0.84

Let me know what you think....
Skip

Response Number 18

Name: sxshep
Date: December 12, 2003 at 17:45:36 Pacific

Reply:

Looks squeaky clean to my untrained eye, let's see if the iceman concurs.
shep

Response Number 19

Name: Skipper5045
Date: December 12, 2003 at 18:12:01 Pacific

Reply:

Hi Shep and Iceblue...
Wonderful news !!!!! My browser's Address bars are now working properly!!!!!!
I also downloaded Spywareblaster and Spywareguard. After one week of staying up till 1:00am trying to fix this crap these babies will be running 24/7.
It's not often in this day and age where total strangers go out of there way to help someone in need. I am truly thankful. You guys are the best! I wish you and your families a happy holiday and happy new year!

Response Number 20

Name: sxshep
Date: December 12, 2003 at 18:35:32 Pacific

Reply:

Skipper,
The very best to you and yours this holiday season.
I take little credit but great satisfaction that you can browse at will.
shep

Response Number 21

Name: knuck
Date: December 14, 2003 at 18:50:11 Pacific

Reply:

I just happened to find this page with a search for the Rads01 worm. I need help bad. I can't do anything to get rid of this thng. Every time I reboot AdAware detects 2 processes (Rads01) and then I remove them only to have them return . When I'm online (I have cable internet) they always return. Please help me any way you can. I'm just you're average pc user and know very little. I have Norton system works and windows xp with active firewall. Thank you, Knuck

Response Number 22

Name: iceblue
Date: December 14, 2003 at 20:30:11 Pacific

Reply:

Clean bill of health!
Shep,
Looks like you have a trained eye for a bad guy. well done.
Skip, good result.
Beef up the security to the max as suggested, and stick to windowsupdates like a kissing cousin.
ciao, Ice

Sponsored Link

Ads by Google

loader.exe downloader.too...

Norton Internet Security ...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Please help with Rads01.Quagrogram

Please help with SearchV hijack

Summary

www.computing.net/answers/security/please-help-with-searchv-hijack/7047.html

Please help with this virus!!!

Summary

www.computing.net/answers/security/please-help-with-this-virus/27545.html

please help! Backdoor.Graybird

Summary

www.computing.net/answers/security/please-help-backdoorgraybird/20273.html

From the Geek Dictionary
ubuntu - This is a Linux based operating system in competition with Microsoft Window...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Loading Profile Error

vedio card

Dual Monitor issue?

pci-e dead or videocard?

how to

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE