Popups in Security http://www.dslreports.com/forum/r9115397 en Thu, 03 Dec 2009 12:03:17 EDT Thu, 03 Dec 2009 12:03:17 EDT Re: Popups http://www.dslreports.com/forum/remark,9118827 pream : I have to leave now. Thanks all for your help. It looks like the first job got rid of the two files from starting. I am posting the latest hijackthis. If there is any more I can do, I might be able to guide my son through it over the phone.

Logfile of HijackThis v1.97.7
Scan saved at 7:30:24 PM, on 1/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\IPOD\BIN\IPODMANAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BROADBAND\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »hometab.bellsouth.net/
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mfg: C:\PROGRA~1\INTERN~1\PLUGINS\npmirage.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - »chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - »fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - »www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···12268519
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - »www.fastaccesstools.com/sdccommo···tlpw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »us.chat1.yimg.com/us.yimg.com/i/···scom.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - »lg.home.microsoft.com/search/lob···ings.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1408.g.akamai.net/7/1408/9955/2···etup.exe]]> http://www.dslreports.com/forum/remark,9118827 Sun, 18 Jan 2004 19:33:31 EDT Re: Popups http://www.dslreports.com/forum/remark,9118397 pream : Yes the first file ran fine. I tried running "Find backup and Delete Peper files.vbs" from safe mode, but got the same result.]]> http://www.dslreports.com/forum/remark,9118397 Sun, 18 Jan 2004 18:43:57 EDT Re: Popups http://www.dslreports.com/forum/remark,9117895 Zupe : So the first file ran without a problem? You may want to try booting to safe mode and running "Find backup and Delete Peper files.vbs" from there.

You might also want to check in NAV's options under Script Blocking and verify that it's set to "Ask Me What to Do", as the other option would prevent this from running without a prompt and could probably cause an error like that.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?]]> http://www.dslreports.com/forum/remark,9117895 Sun, 18 Jan 2004 17:47:35 EDT Re: Popups http://www.dslreports.com/forum/remark,9117311 pream : Also I deleted all from startup with the same result.]]> http://www.dslreports.com/forum/remark,9117311 Sun, 18 Jan 2004 16:29:17 EDT Re: Popups http://www.dslreports.com/forum/remark,9117163 pream : I have downloaded the two files and run them. When I run Find backup and delete oeoer files.vbs, it prompts for the file. When I enter Rcn0.exe, it appears to run for about 2 minutes and then I get an "out of memory" message.

Any ideas?]]> http://www.dslreports.com/forum/remark,9117163 Sun, 18 Jan 2004 16:09:21 EDT Re: Popups http://www.dslreports.com/forum/remark,9116541 Zupe :
said by John2g See Profile:
I cannot find anything on theses 2 exes and they seem to be suspicious.

C:\WINDOWS\SYSTEM\ZMZ4.EXE
C:\WINDOWS\SYSTEM\RSAQS5.EXE

Someone thinks that RSAQS5.EXE is a trojan, but I cannot confirm that.
Those both look to be part of the Peper trojan I mentioned above. They'll be removed if you use the uninstall procedure I listed.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?]]> http://www.dslreports.com/forum/remark,9116541 Sun, 18 Jan 2004 14:49:31 EDT Re: Popups http://www.dslreports.com/forum/remark,9116537 John2g :
said by pream See Profile:
I have done searches for both of these and cannot find them. He is running NAV 2002.


He may have these as hidden files. To unhide them, go to Control Panel\Folder Options\View and "uncheck" Hide protected operating system files.

Then recheck, as they are listed in running applications in HJT.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9116537 Sun, 18 Jan 2004 14:49:08 EDT Re: Popups http://www.dslreports.com/forum/remark,9116528 Zupe :
said by pream See Profile:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »server224.smartbotpro.net/7search/?003-nhp

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)

O2 - BHO: (no name) - {338DB36D-828A-4D18-8864-977B09C4B8A7} - C:\WINDOWS\SYSTEM\QDBGHELP.DLL

O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\Rcn0.exe

O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL/201

O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - »www.myfamily.com/plugins/ue/Install_UE.exe

O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - »www.fastaccesstools.com/sdccommo···tlpw.cab
You've got the Peper trojan among other things.

To deal with the Peper trojan, do the following:

1. Download and run this file to fix the Peper Trojan: »home01.wxs.nl/~kleyn080/uninst.exe

Double click on 'uninst.exe', let it run and terminate.

2. To delete the related files download the following tool:
»www.mjc1.com/files/mo/drpepertobackup.exe

Double-click the downloaded file and it will extract to C:\drpeper

Navigate to the C:\drpeper folder and double-click "Find backup and Delete Peper files.vbs"

At the first prompt copy and paste: Rcn0.exe and hit ok.

You will get a confirmation notice, then a second prompt:
At the second prompt, paste: ZMZ4.EXE and hit ok.

It will find all the files, delete them and will make backups in the same folder. It will then open a text file (Peper.txt) with the list of all files deleted. Make sure that text file is saved.

Next, with all browser windows closed, rescan with Hijack This and put a check next to any of the items I listed above that remain, then click "Fix Checked". Reboot, rescan with Hijack This and post a new log here together with the contents of the Peper.txt file you saved earlier.
--
Brain: Pinky, are you pondering what I'm pondering?
Pinky: I think so, Brain, but "Snowball for Windows"?]]> http://www.dslreports.com/forum/remark,9116528 Sun, 18 Jan 2004 14:48:23 EDT Re: Popups http://www.dslreports.com/forum/remark,9116489 pream : I have done searches for both of these and cannot find them. He is running NAV 2002.]]> http://www.dslreports.com/forum/remark,9116489 Sun, 18 Jan 2004 14:43:16 EDT Re: Popups http://www.dslreports.com/forum/remark,9116361 John2g :
said by pream See Profile:
Shootthemessanger does not support Windows ME.


I'm sorry. I had forgotten he was using ME.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9116361 Sun, 18 Jan 2004 14:29:07 EDT Re: Popups http://www.dslreports.com/forum/remark,9116306 pream : Shootthemessanger does not support Windows ME.]]> http://www.dslreports.com/forum/remark,9116306 Sun, 18 Jan 2004 14:21:19 EDT Re: Popups http://www.dslreports.com/forum/remark,9115854 John2g : I cannot find anything on theses 2 exes and they seem to be suspicious.

C:\WINDOWS\SYSTEM\ZMZ4.EXE
C:\WINDOWS\SYSTEM\RSAQS5.EXE

Someone thinks that RSAQS5.EXE is a trojan, but I cannot confirm that.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9115854 Sun, 18 Jan 2004 13:31:53 EDT Re: Popups http://www.dslreports.com/forum/remark,9115789 John2g : As a general point, your son may be getting pop ups as a result of running "Windows Messenger"

You can overcome this by downloading and running shootthemessenger from: »grc.com/stm/shootthemessenger.htm

Another way of stopping most pop ups is to DISABLE Java and Active Scripting in Internet Explorer. Go to Tools\Internet Options\Security and click the "Internet" icon and choose "Custom" and you can alter the settings there.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9115789 Sun, 18 Jan 2004 13:24:12 EDT Re: Popups http://www.dslreports.com/forum/remark,9115711 John2g : I am NOT an expert, but I think you should have HJT fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »server224.smartbotpro.net/7search/?003..
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)
O2 - BHO: (no name) - {338DB36D-828A-4D18-8864-977B09C4B8A7} - C:\WINDOWS\SYSTEM\QDBGHELP.DLL
O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\Rcn0.exe
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL/201
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. ]]> http://www.dslreports.com/forum/remark,9115711 Sun, 18 Jan 2004 13:16:00 EDT Popups http://www.dslreports.com/forum/remark,9115397 pream : I am my son's computer. Windows ME. He has a popup nightmare. One after another. He has allowed many people to download onto this system. I have been working each time I am here to try to correct, with no success. I have run Spybot. Now Hijackthis. Any help would be greatly appreciated.

Logfile of HijackThis v1.97.7
Scan saved at 12:37:45 PM, on 1/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\IPOD\BIN\IPODMANAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\IPOD\BIN\IPODSERVICE.EXE
C:\WINDOWS\SYSTEM\ZMZ4.EXE
C:\WINDOWS\SYSTEM\RSAQS5.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\DOWNLOAD\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »server224.smartbotpro.net/7search/?003-nhp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = »hometab.bellsouth.net/
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {338DB36D-828A-4D18-8864-977B09C4B8A7} - C:\WINDOWS\SYSTEM\QDBGHELP.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\Rcn0.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH304181.DLL/201
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .mfg: C:\PROGRA~1\INTERN~1\PLUGINS\npmirage.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - »chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - »fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - »www.myfamily.com/plugins/ue/Install_UE.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···12268519
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - »www.fastaccesstools.com/sdccommo···tlpw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »us.chat1.yimg.com/us.yimg.com/i/···scom.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - »lg.home.microsoft.com/search/lob···ings.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1408.g.akamai.net/7/1408/9955/2···etup.exe]]> http://www.dslreports.com/forum/remark,9115397 Sun, 18 Jan 2004 12:44:00 EDT