Help - Search - Members - Calendar
Full Version: Java ByteVerify woes - HIJ Log - please help?
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
Lizi59
May 27 2004, 01:00 AM
I think I've run just about every free spyware scanner I could find in the last few days! I ran Trend Housecall yesterday and today, and both times it detected JAVA BYTEVER.A-1 which it could not clean. I've run out of ideas so I'm hoping someone here can take a look at this log? Thanks so much!

Logfile of HijackThis v1.97.7
Scan saved at 8:37:32 PM, on 5/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Diane C\My Documents\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home%20Page/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8086
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: Shortcut to Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com -

http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo -

http://doublebonus.pogo.com/applet/videopo...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo -

http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com -

http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com -

http://greenback.pogo.com/applet/greenback...k-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo -

http://temp69fe.pogo.com/applet/drawpoker/...r-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo.com -

http://hspoker02.pogo.com/applet/drawpoker...r-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo -

http://temp36.pogo.com/applet/videopoker2/...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com -

http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://temp40.pogo.com/applet/pebble/pebble-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Showbiz Slots 2 by pogo.com -

http://showbiz2.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Squelchies by pogo.com -

http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo -

http://sweet07.pogo.com/applet/sweettooth/...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo10.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://whackdown2.pogo.com/applet/whackdow...n-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com -

http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo -

http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) -

http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) -

http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CEE8563-CA62-4F56-AD89-48EC7B72B8AA} (CacheUtils Class) -

https://www.tournamentgames.com/tg/console/...myInetUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) -

http://skill.skilljam.com/ssp/SSP.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -

http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) -

http://www.pulse3d.com/players/english/5.2...yer5.2AxWin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) -

http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) -

http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/shockwa...ash/swflash.cab
LoPhatPhuud
May 27 2004, 01:36 AM
There is very little to clean, and nothing that would give you that detection. Two possibilities come to mind. First, where did was the virus detected? If it was in the System Restore, it would not be cleanable. Second, it may be a false positive. I will research more on that.

WHen you post your next log, please advise what file was infected and where it was located.

No to clean your system...
Before we do anything, please move HiJackThis to a permanent folder. I suggest 'c:\program files\hijackthis\' but any folder other than the Desktop or a temporary folder is fine. This will allow us to use backups to restore entries if necessary

Check the following items in HijackThis.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Home%20Page/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

Close all windows except HijackThis and click Fix checked:

Post another HiJackThis log in this thread for review.
DCZ
May 27 2004, 09:45 AM
Hi, I've come across this byteverify thing before. NAV and Antivir can detect it and quarantine it. I have found it hiding in my Java jar file. I deleted the IDX file as well as the compressed file (where byteverify was hiding) with no problems. I also delete the trace files when I find them. Make sure it isn't backed up in system restore by shutting off system restore and then restarting system restore with a new restore point. Hope this helps.
Lizi59
May 27 2004, 11:33 AM
Thanks so much for the quick responses! LoPhat, I've moved HiJackThis to C:\Program Files\HiJackThis, and fixed the 5 entries you indicated. I thought I had System Restore disabled but when I checked it was still running, so I disabled it.

I ran Housecall again with this (same) result: JAVA_BYTEVER.A-1 Non Cleanable C:\Documents and Settings\Diane C\ApplicationData\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5157872c-195d569c.zip *VerifierBug.class*

I went to that zip file and opened it - inside was a folder named META-INF and then VerifierBug.Class, Gummy.Class, Counter.Class and Beyond.Class. I looked at those files (trying to determine if I could safely delete them) and oddly enough, I had no problem opening any of them except the Counter.Class - I got an AVG message saying it was infected with the same JAVA_BYTEVER.A-1 and I should run AVG (but AVG has never detected this, not even last night when I ran a scan right before running Housecall). I also got a WinRAR message at the same time:

C:\Documents and Settings\Diane C\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5157872c-195d569c.zip: Cannot open Counter.class
Access is denied.

Hope that's not too much info! I made no changes, closed everything and ran HiJackThis again.

Logfile of HijackThis v1.97.7
Scan saved at 7:04:48 AM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8086
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: Shortcut to Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet/videopo...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback...k-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://temp69fe.pogo.com/applet/drawpoker/...r-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo.com - http://hspoker02.pogo.com/applet/drawpoker...r-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://temp36.pogo.com/applet/videopoker2/...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://temp40.pogo.com/applet/pebble/pebble-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://showbiz2.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet07.pogo.com/applet/sweettooth/...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo10.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdow...n-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CEE8563-CA62-4F56-AD89-48EC7B72B8AA} (CacheUtils Class) - https://www.tournamentgames.com/tg/console/...myInetUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2...yer5.2AxWin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

DCZ, sounds like my situation is just like what you had except the only thing that's detected it so far is Housecall and I've run sooooo many AntiVirus/Trojan/Spyware programs in the last few days.

I can't tell you how much I appreciate all this help. I wasn't having any luck finding any info on what to do about this until I stumbled across this site.
Lizi59
May 27 2004, 11:50 AM
Forgot to mention two things. On the Tools menu in Explorer I no longer have a "Folder Options" selection. I'm not sure if this is related, but it's sure annoying! And as of this morning I no longer have a home page - all I'm getting is about:blank. I think I remember reading somewhere that this is or could be related?

Thanks again!
LoPhatPhuud
May 27 2004, 04:58 PM
First:
Go ahead and delete the offending Jar file. I check my Sun folder and I do not have that one. Also, make sure you ahvve the latest release of Java.


Second:
For the Toolbar issue, that is probably the result of an improper removal of an iSearch infection. We can fix the problem.

Open an empty Notepad file.
Copy the following text and paste into the new Notepad document:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-
"NoToolbarCustomize"=-
"Btn_Search"=-
"SpecifyDefaultButtons"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoBandCustomize"=-
"NoToolbarCustomize"=-
"Btn_Search"=-
"SpecifyDefaultButtons"=-

Save the file as 'isearchfix.reg'
Double click on this file and merge it into your registry.
Your Toolbar Options should now be available.


Third:
The about:blank home page is not good. You may have picked on a nasty version of CoolWebSearch.

First step is to find out if you are infected.

Download 'Dllfix.exe' from:
http://tools.zerosrealm.com/dllfix.exe
http://downloads.subratam.org/dllfix.exe

It is a self-extracting archive; double click on it.

Open the DLLFIX folder and double click on Start.bat.

At the main menu, press '1' (Run Find-All by FreeAtLast) and enter.
Let the program run.
When finished, Press 'E' to exit.

Open the DLLFix folder.
1. Post the contents of Output.txt in this thread.
2. Attach file Windows.txt to the same post. (Attach, do not post, the file is in binary)
3. Post a new HiJackThis log in this thread.
Lizi59
May 27 2004, 07:48 PM
I hope this isn't a duplicate post; don't know what happened to the first one!

Okay, here we go:

Problem 1 - deleted file. I'm fairly sure I have the most current version (5.00.3810).

Problem 2 - got my Folder Options back - Thank you!!!

Problem 3 - Logs posted and attached as directed.


--==***@@@ FIND-ALL' VERSION 5.2 -5/18 @@@***==--

Thu 05/27/2004
02:19 PM

System Info:

Microsoft Windows XP [Version 5.1.2600]
C: "" (88FB:BA46) - FS:NTFS clusters:4k
Total: 59 954 065 408 [56G] - Free: 16 375 611 392 [15G]


*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q818529;Q330994;Q822925;Q828750;Q824145;Q832894;Q837009;Q831167;

*Google Toolbar version and Attributes:
Defaults: "A" ;"R"
Path not found - C:\Program Files\google
Path not found - C:\Program Files\google

*UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


*Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

*M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll


*PC uptime:
2:19pm up 0 days, 18:11
Locked or 'Suspect' file(s) found...


*List of top level windows:
HWND PID PRIO TITLE
10174 1896 norm PermissionDlg
1904be 1036 norm SysFader
200a4 1036 norm _Shell_TrayWnd
b0432 2884 norm SysFader
10158 1896 norm ViolationDlg
10026 704 high NetDDE Agent
1704b0 3528 norm C:\WINDOWS\System32\cmd.exe
a04ce 1036 norm dllfix
c0404 2884 norm Gladiator Security Forum -> Java ByteVerify woes - HIJ Log - please help? - Mic
504a2 2884 norm MCI command handling window
40490 2884 norm Java Console
1b04aa 2884 norm theAwtToolkitWindow
9040e 2884 norm DDE Server Window
3f0092 2316 norm eMule v0.42g
50406 2316 norm CAsyncSocketEx Helper Window
50458 2316 norm Hostname Resolve Wnd
490088 2316 norm Socket Notification Sink
3e008e 2316 norm Emule Socket Wnd
100d4 1884 norm AVG Control Center - FREE Edition
3010a 1896 norm ZoneAlarm
40244 1036 norm MCI command handling window
3012a 1036 norm Connections Tray
30138 1036 norm Power Meter
40154 1036 norm MS_WebcheckMonitor
3014a 1488 norm lxbc POR Monitor
1011e 1488 norm LEXLMPM
200d2 216 norm NVSVCPMMWindowClass
100a8 1964 norm The Proxomitron - default
1009c 1892 norm Logitech GetMessage Hook
20066 1892 norm LogiTrayMgrWnd
20060 1892 norm Logitech E/M Executive
20062 1876 norm Creative Diagnostics Agent
3005a 1496 norm
40058 1496 norm LexPPS BCE Comm Window
60120 1036 norm SysFader
40046 1036 norm Program Manager
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



Logfile of HijackThis v1.97.7
Scan saved at 3:28:42 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8086
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - Startup: Shortcut to Proxomitron.lnk = C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\NpHcd32.dll
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/check...g-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet/videopo...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire46.pogo.com/applet/solitai...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbin...o-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback...k-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://temp37.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo - http://temp69fe.pogo.com/applet/drawpoker/...r-ob-assets.cab
O16 - DPF: High Stakes Poker by pogo.com - http://hspoker02.pogo.com/applet/drawpoker...r-ob-assets.cab
O16 - DPF: Jokers Wild Poker by pogo - http://temp36.pogo.com/applet/videopoker2/...d-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong.pogo.com/applet/mahjong/mahjong-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/f...l-ob-assets.cab
O16 - DPF: Pebble Beach Golf by pogo - http://temp40.pogo.com/applet/pebble/pebble-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit26.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://showbiz2.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweet07.pogo.com/applet/sweettooth/...h-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet/peaks/peaks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo10.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo07.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wor...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdow...n-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown...n-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet/worldclass...s-ob-assets.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shiz...pside_web18.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CEE8563-CA62-4F56-AD89-48EC7B72B8AA} (CacheUtils Class) - https://www.tournamentgames.com/tg/console/...myInetUtils.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://skill.skilljam.com/ssp/SSP.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downl...eCallButton.CAB
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2...yer5.2AxWin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games/v50/swapit/swapit.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab


It feels good to be making some progress... :)
LoPhatPhuud
May 27 2004, 08:01 PM
The good news is that the suspected infection is not there. And your system is clean!! The about:blank issue may just have been a fluke. There is nothing in your log to indicate a proble, but by all means, contact us if one develops.

In the meantime here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: http://www.staff.uiuc.edu/~ehowes/resource.htm

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/software/adaware/
b. SpyBot S&D: http://security.kolla.de/index.php?lang=en&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857


Good luck, and thanks for coming to Gladiator Security Forums.

NOTE: This thread is now closed. Should you need it reopened, please PM a mod.
Everyone else having a similar issue, please launch a new topic for yourselves.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.