Another Virus/Hijack Removal Problem in Security

Another Virus/Hijack Removal Problem in Security http://www.dslreports.com/forum/r12423314 en Thu, 26 Nov 2009 18:42:31 EDT Thu, 26 Nov 2009 18:42:31 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12568470 CalamityJane : That uninstaller is best avoided according to several experts the antispyware community:

»forum.iamnotageek.com/t-805880.html

quote:
Though MyPCTuneUp does attempt to remove many of the parasites
connected to the Transponder gang, it runs using their 'Thinstaller'
program also used by Transponder and FavoriteMan, which connects to
their servers and spews out information about your machine, such as
computer and account names, and what software is installed.

Advice: avoid.
--
Andrew Clover
mailto:and@doxdesk.com
»www.doxdesk.com/

Is This Software On Your Hard Drive?
How one of the Internet’s largest and most secretive adware companies really operates. With new regulations coming, will it really reform?
»www.msnbc.msn.com/id/6689667/site/newsweek/

Giving your email to MyPCtuneup.com in order to obtain a user ID starts SPM from Traffix!
»netrn.net/spywareblog/archives/2···traffix/

Ceres.dll:
Attacking a firewall near you.
»www.vitalsecurity.org/ceres.htm

webhelper Alert - Transponder Gangs On the Move Ipinsight.net now MyPctuneup.com
»www.webhelper4u.com/tnewswritigs···eup.html
--
It takes a disaster to make a woman out of a female

Gladiator Security Forum

Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,12568470 Thu, 03 Feb 2005 08:50:04 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12568273 anon : Ceres PopUps was on my computer at work. The company that I traced the ceres.dll to is MyPCTUNEup.com. Their removal tool seemed to work and they claim to not install any spyware on your box. I checked to see if the Ceres.dll was still in my Windows directory, and it was not after I ran the removal software. I will keep my fingers crossed!!!
Good Luck]]> http://www.dslreports.com/forum/remark,12568273 Thu, 03 Feb 2005 08:16:00 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12568233 anon : To remove our advertising software from your computer, please visit HTTP://www.MyPCTuneUp.com/unistaller_exe.php, where you will be guided through an easy uninstall process.
It will remove the following Advertising Software programs from your computer: BestOffers, BetterInternet, Ceres, LocalNRD, MSView, MultiMPP, MXTarget, OfferOptimizer, Twaintec, and some others.
Good Luck!!!]]> http://www.dslreports.com/forum/remark,12568233 Thu, 03 Feb 2005 08:01:52 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12446234 CalamityJane : Oh, no...doesn't work for Mozilla just IE, but also no - it doesn't interfere with SpywareBlaster or Spybot or any other security programs for those using IE.]]> http://www.dslreports.com/forum/remark,12446234 Fri, 21 Jan 2005 13:09:30 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12446219 hgratt : Does IESPYAD do anything for Mozilla? Also, will it conflict with SpywareBlaster and/or SpyBot's immunization procedures?]]> http://www.dslreports.com/forum/remark,12446219 Fri, 21 Jan 2005 13:07:43 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12445720 CalamityJane : Great! I figured you would fix him up :)

Another really *must get* free tool is Eric Howe's IESPYAD. That will put over 5,000 known malicious and/or dangerous sites into his restricted zone. It needs to be updated periodically (see our Updates list at the top of this forum each day for the latest) but installing that tool will help stop reinfections and increase his protection without using any memory resources :)
--
It takes a disaster to make a woman out of a female

Gladiator Security Forum

Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,12445720 Fri, 21 Jan 2005 12:07:37 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12445653 hgratt : You bet! I've loaded Ad-Aware, Spybot, CWShredder and SpywareBlaster onto his system. Also installed AVAST anti-virus and a2 anti-trojan on his system.

Hopefully, this will give him adequate automatic protection and manual scanning/checking capabilities.

Thanks again for your help.]]> http://www.dslreports.com/forum/remark,12445653 Fri, 21 Jan 2005 12:00:24 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12439648 CalamityJane : Ok, good job.

The log looks clean :)

I assume you are getting some prevention programs and extra security in place for them]]> http://www.dslreports.com/forum/remark,12439648 Thu, 20 Jan 2005 18:52:06 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12439157 hgratt : All right! The de-registration seems to have done it and allowed me to proceed successfully with your instructions.

Here is the latest HJT log:
Thanks for all the help. Hopefully this will last.

Logfile of HijackThis v1.99.0
Scan saved at 5:04:28 PM, on 1/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\TIOGA\CLIENT\BIN\TGCMD.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\TECH\WHEEL MOUSE\5.0\MOUSE32A.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERSIL\PRISM 802.11 WIRELESS LAN\CONFIG.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.iwon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.answerteam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [mgavrtclexe] c:\windows\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\Intersil\PRISM 802.11 Wireless LAN\Config.exe
O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - »www2.incredimail.com/contents/se···ader.cab]]> http://www.dslreports.com/forum/remark,12439157 Thu, 20 Jan 2005 17:58:09 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12426491 hgratt : Thanks. I will provide them with this information.

Harvey]]> http://www.dslreports.com/forum/remark,12426491 Wed, 19 Jan 2005 11:38:07 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12426425 John2g :

said by hgratt

:

BTW, these people use the www.iwon.com page as their home page In fact, everytime we update SpywareBlaster , I have to remove the entry in the IE Restricted Zone. To me, the page just looks like a general information page where they sign up for news , weather updates, etc. What are the nasties associated with this page?

Thanks again,
Harvey

From Symantec

Behavior
Adware.IWon is a Browser Helper Object that sends data to and receives data from a remote Web site.

Symptoms
You notice outgoing connections to www.iwon.com.

Transmission
This adware is installed when you download and install software from www.iwon.com.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,12426425 Wed, 19 Jan 2005 11:31:07 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12426384 hgratt : Thanks. I plan on getting over there again Thursday and will try the removal procedures. I will post back as soon as I can.

BTW, these people use the www.iwon.com page as their home page In fact, everytime we update SpywareBlaster , I have to remove the entry in the IE Restricted Zone. To me, the page just looks like a general information page where they sign up for news , weather updates, etc. What are the nasties associated with this page?

Thanks again,
Harvey]]> http://www.dslreports.com/forum/remark,12426384 Wed, 19 Jan 2005 11:26:00 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12425027 CalamityJane : Your problem is this:

Transponder - Ceres Variant
»doxdesk.com/parasite/Transponder.html

That page contains information on additional components that may have been installed and you should check to see if any of the additional files/registry entries need to be removed as all are not visible on the HijackThis log.

This particular variant we have seen comes bundled with a fresh install of Morpheus, in which case, you should caution your friend about spyware infested programs and taking care in downloading files from the interenet.

Adaware SE v. 1.05 with the most recent updates does have detection for this. Please make sure you have the latest version and updates as of Jan 11 is: SE1R25 11.01.2005

The Transponder DLL lives in the Windows folder. Before it can be deleted, it must be deregistered. Open a Command Prompt window (from Start->Programs->Accessories; called DOS prompt on Windows 95/98/Me) and enter the following command:

for the Ceres variant:

    cd "%WinDir%\System"
    regsvr32 /u ..\Ceres.dll

Then, boot the PC into SAFE MODE, scan with HijackThis and checkmark the following entries and press *fix checked*

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = �home.iwon.com/index_gen.html

O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL

O4 - HKLM\..\Run: [efjorvjqpwms] C:\WINDOWS\SYSTEM\vytlkzc.exe

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL

O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - �download.sidestep.com/get/k22675/sb028..

Remain in safe mode and delete the following files named in bold (if found)

SBCIE028.DLL

C:\WINDOWS\CERES.DLL

C:\WINDOWS\SYSTEM\vytlkzc.exe

Also check your system for a file named: buddy.exe If found, delete it too.

Reboot back into normal mode and scan again with HijackThis and post a fresh log.

You should make sure Adaware is updated and scan with it as well, since it may find more entries as well.

Be sure to visit the doxdesk parasites page linked above to see what other entries you may need to search and destroy on the system related to the Ceres variant.

Note:
System Soap Pro has been reported to come with Foistware and it is generally recommended to avoid using that program
See description here:
»www.liutilities.com/products/win···ry/soap/

--
It takes a disaster to make a woman out of a female

Gladiator Security Forum

Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,12425027 Wed, 19 Jan 2005 08:00:07 EDT Re: Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12424500 John2g : This may help remove iwon

»www3.ca.com/securityadvisor/pest···53079969
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,12424500 Wed, 19 Jan 2005 04:03:05 EDT Another Virus/Hijack Removal Problem http://www.dslreports.com/forum/remark,12423314 hgratt : Another friend, this time with win98se. He has serious problems with pop-ups from an object called CERES.

Have done the following, all in SAFE MODE:
1. Ran latest Spybot S&D
2. Ran latest Ad-Aware
3. Ran HJT

Main problem is with HJT (even in safe mode) the object/file ceres.dll keeps coming back. I also noticed that the HJT tool for removing a file at boot up was greyed out.

I could rename the file ceres.dll only in safe mode (afraid to delete it at the present time), but when I booted back up, the ceres pop-ups still came. Maybe other thing have to be removed in conjunction, This is the second time these cleaners have failed to remove stuff.

Anyway, any insights as to why I can't remove this stuff would be appreciated. Here is his HJT logfile:

Thanks,
Harvey

Logfile of HijackThis v1.99.0
Scan saved at 9:19:55 PM, on 1/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\TIOGA\CLIENT\BIN\TGCMD.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\TECH\WHEEL MOUSE\5.0\MOUSE32A.EXE
C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\INTERSIL\PRISM 802.11 WIRELESS LAN\CONFIG.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »home.iwon.com/index_gen.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.answerteam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [mgavrtclexe] c:\windows\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [efjorvjqpwms] C:\WINDOWS\SYSTEM\vytlkzc.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\Intersil\PRISM 802.11 Wireless LAN\Config.exe
O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - »download.sidestep.com/get/k22675/sb028.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - »www2.incredimail.com/contents/se···ader.cab]]> http://www.dslreports.com/forum/remark,12423314 Tue, 18 Jan 2005 23:40:18 EDT