HijackThis Log vs. i-lookup.com

dimitri · Nov 21, 2003

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins.c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
..apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.ca
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
..CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autoprice
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

PA Bear · Nov 21, 2003

Post the log here instead: http://forums.spywareinfo.com

i-lookup
http://www.doxdesk.com/parasite/ILookup.html
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins.c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.ca
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autoprice
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

Click to expand...

Dimitri · Nov 21, 2003

Thanks, PA BEAR.
Logged into Spyware site (which looks great) - but can't
find the HTH thread. Have I misunderstood your msg.?
Tks in advance
D.

-----Original Message-----
Post the log here instead: http://forums.spywareinfo.com

i-lookup
http://www.doxdesk.com/parasite/ILookup.html
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB- B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1 \mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1 \WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins.c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.ca
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autoprice
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

Click to expand...

Click to expand...

.

Ramesh [MVP] · Nov 21, 2003

Hi Dimitri,

Apart from i-Lookup, your system has other type of malware installed (gator
& others.). Try Ad-Aware (www.lavasoftusa.com) and update it. Run a full
system scan.

Next, reset the search entries using this patch: (the search entries are
hijacked by i-Lookup)
Click the Search button in the toolbar > Customize > AutoSearch Settings >
Select a provider from the list.
Open Internet Explorer > Tools > Options > Programs > "Reset Web Settings"

Download the fix - Reset Search:
http://www.kellys-korner-xp.com/regs_edits/RestoreSearch2.REG

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

~ Please reply to newsgroup ~

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins.c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
..apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.ca
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
..CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autoprice
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

siljaline · Nov 21, 2003

Dimitri said:
Thanks, PA BEAR.
Logged into Spyware site (which looks great) - but can't
find the HTH thread. Have I misunderstood your msg.?
Tks in advance
D.

Dimitri,
On behalf of PA Bear, "HTH" is an acronym for "Hope This Helps".

Regards

--
siljaline

MS - MVP Windows IE/OE
______________________

(Please reply to group as reply
address in invalid)

Dimitri · Nov 21, 2003

Thanks Ramesh - what a lot of work these parasites create!
Will run your suggested software.
As for Gator, I find that useful for passwords, etc. Is it
harmful in any way? (What's malware, b.t.w.?)
Later..!
D.

-----Original Message-----
Hi Dimitri,

Apart from i-Lookup, your system has other type of malware installed (gator
& others.). Try Ad-Aware (www.lavasoftusa.com) and update it. Run a full
system scan.

Next, reset the search entries using this patch: (the search entries are
hijacked by i-Lookup)
Click the Search button in the toolbar > Customize > AutoSearch Settings >
Select a provider from the list.
Open Internet Explorer > Tools > Options > Programs
"Reset Web Settings"

Download the fix - Reset Search:
http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

~ Please reply to newsgroup ~

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1 \WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins. c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.c a
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director /
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.inf o
..apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c a
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.ca b
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct l
..CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw f
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autopric e
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

.

siljaline · Nov 21, 2003

Dimitri said:
Thanks Ramesh - what a lot of work these parasites create!
Will run your suggested software.
As for Gator, I find that useful for passwords, etc. Is it
harmful in any way? (What's malware, b.t.w.?)
Later..!
D.

http://users.iafrica.com/c/cq/cquirke/malware.htm

--
siljaline

MS - MVP Windows IE/OE
______________________

(Please reply to group as reply
address in invalid)

Ramesh [MVP] · Nov 21, 2003

Yes. Please see:
http://www.pestpatrol.com/PestInfo/g/gator_com.asp

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

~ Please reply to newsgroup ~

Thanks Ramesh - what a lot of work these parasites create!
Will run your suggested software.
As for Gator, I find that useful for passwords, etc. Is it
harmful in any way? (What's malware, b.t.w.?)
Later..!
D.

-----Original Message-----
Hi Dimitri,

Apart from i-Lookup, your system has other type of malware installed (gator
& others.). Try Ad-Aware (www.lavasoftusa.com) and update it. Run a full
system scan.

Next, reset the search entries using this patch: (the search entries are
hijacked by i-Lookup)
Click the Search button in the toolbar > Customize > AutoSearch Settings >
Select a provider from the list.
Open Internet Explorer > Tools > Options > Programs
"Reset Web Settings"

Download the fix - Reset Search:
http://www.kellys-korner- xp.com/regs_edits/RestoreSearch2.REG

--
Ramesh - Microsoft MVP
http://www.mvps.org/sramesh2k

Microsoft Most Valuable Professional Program
http://mvp.support.microsoft.com

~ Please reply to newsgroup ~

Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1 \WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins. c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.c a
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director /
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.inf o
..apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.c a
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.ca b
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct l
..CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw f
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autopric e
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab

.

Mike Burgess · Nov 21, 2003

Dimitri,

"what a lot of work these parasites create"

Yup! .... and for all that the "xxxtoolbar" affiliate got paid 20 cents (US)
.... imagine that!
FYI: once "xxxtoolbar" loaded, it then downloaded "i-lookup", and
"2020search.com"

Curious though WinPatrol *should* have jumped up when
the new Startup entries were being added? Did it?

Use RoboForm instead of Gator, it will even import the settings, etc.
http://www.roboform.com/
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 11-19-03]
Please post replies to this Newsgroup, email address is invalid
--

Dimitri said:
Thanks Ramesh - what a lot of work these parasites create!
Will run your suggested software.
As for Gator, I find that useful for passwords, etc. Is it
harmful in any way? (What's malware, b.t.w.?)
Later..!
D.

<snip>

PA Bear · Nov 21, 2003

Just start your own thread, even though it seems you may have things
straightened out.
--
~PA Bear

Thanks, PA BEAR.
Logged into Spyware site (which looks great) - but can't
find the HTH thread. Have I misunderstood your msg.?
Tks in advance
D.

-----Original Message-----
Post the log here instead: http://forums.spywareinfo.com

i-lookup
http://www.doxdesk.com/parasite/ILookup.html
--
HTH...Please post back to this thread

~Robear Dyer (aka PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

dimitri wrote:
Ramesh,
Here's the log. Hope it reveals the Achilles heel.
(also hope this will wipe out the latest variant Frank's
concerned about!) Sorry, but I can only post it by copying
the whole thing!
Tks in advance, D.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:45 PM, on 11/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive
Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\mcafee.com\VSO\mcshield.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\Plaxo\1.3.1.132\InstallStub.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Gator.com\Gator\Gator.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ZIPPR\zippr100.exe
C:\WINNT\system32\drivers\etc\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Bar = http://i-lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
Page = http://i-lookup.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.tvguide.com/listings
R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = http://i-
lookup.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page_bak = http://www.comcast.net/comcast.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-
D9221FF1C4CE} - C:\WINNT\Downloaded Program
Files\SbCIe026.dll
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB- B651407F8998} -
C:\WINNT\system32\windec32.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-
000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-
209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4- B683-
905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\vision~1
\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [hpppt]
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1
\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1
\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1
\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common
Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1
\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1 \mcafee.com\PERSON~1
\MpfTray.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common
Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1 \WINPAT~1
\WinPatrol.exe
O4 - HKCU\..\Run: [PPWebCap] C:\Program
Files\Visioneer\PaperPort\PPWebCap.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft
Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.3.1.132
\InstallStub.exe -a
O4 - Startup: msimn.lnk = C:\Program Files\Outlook
Express\msimn.exe
O4 - Startup: Webshots.lnk = C:\Program
Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk =
C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Billminder.lnk =
C:\QUICKENW\billmind.exe
O4 - Global Startup: Controller.LNK = C:\Program
Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: Gator eWallet.lnk = C:\Program
Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program
Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk =
C:\QUICKENW\bagent.exe
O4 - Global Startup: Quicken Startup.lnk =
C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O12 - Plugin for .mts: C:\Program
Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED}
(Support.com Installer) -
http://v55.comcastsupport.com/sdccommon/download/tgctlins.c
ab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://www.comcastsupport.com/sdccommon/download/tgctlcm.ca
b
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
(Installer Class) -
http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} -
http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader
Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE}
(SideStep IE Inst) -
http://download.sidestep.com/get/k00719/sb01f.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB}
(BrowseFolderPopup Class) -
http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys
Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/
sw.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582}
(McAfee.com Download+Installer Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,55/mcinsctl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info
.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A}
(Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.ca
b
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
(McAfee.com Operating System Class) -
http://bin.mcafee.com/molbin/shared/mcinsctl/en-
us/4,0,0,72/mcinsctl.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid
Class) -
http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl
.CAB?37590.649849537
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
(DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/mcgdmgr/en-
us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D}
(CarPoint Auto-Pricer Control) -
http://carpoint.msn.com/components/ocx/autopricer/autoprice
r.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C}
(Downloader Class) -
http://www.2020search.com/toolbar/2020Search.cab
.

Click to expand...

Click to expand...

IE searches re directed to Morwill	1	Jan 14, 2006
IE NOT RESPONDING	1	Jan 10, 2006
hiJackthis Help	2	Mar 24, 2004
IE Shuts down regularly	12	Jun 16, 2008
Adware Hijacking My Computer	5	Dec 24, 2004
Home Page Hijinks	2	Apr 20, 2004
Browser Hijacked	5	Jun 15, 2004
Home Page Problems - Tried Everything?	2	Apr 8, 2004

HijackThis Log vs. i-lookup.com

dimitri

PA Bear

Dimitri

Ramesh [MVP]

siljaline

Dimitri

siljaline

Ramesh [MVP]

Mike Burgess

PA Bear

Ask a Question

Similar Threads