Search bar hijack

David · Sep 29, 2005

I am presently plagued with pop-ups - particularly the
ones from ilead.itrack.it, and the searchbar on IE is
constantly being changed. I also have the blue extra bar
frequently appearing along the bottom of the screen.
MSAS, Adaware SE and Spybot are not removing the problem.
I run AVG antivirus. All are up to date. Help...please!

Andre Da Costa · Sep 29, 2005

Have you tried running them in Safe Mode? Also download
http://www.ewido.net/en/download/ and see if that helps with the removal.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

Guest · Sep 29, 2005

I have tried them in Safe Mode. MSAS removed 55 items.
Ewido just removed a further 91 items.( I was actually
downloading it/running it already after seeing the advice
about 3 blogs before mine!) These are despite running the
programs normally (ie not in Safe Mode) roughly every 3
days. After running the programs now, I restarted the
computer IE loaded, and I was immeditely greeted with an
Ilead.itrack.it pop-up!
All has obviously not gone. This is a 'family' computer.
Do I have to run the software through each account?
Thanks
David

AndyManchesta · Sep 29, 2005

Ive just posted to the LOP topic above yours so thought
Id repeat the post here as I believe its the same
infection

LOP is most often transmitted by the program Messenger
Plus! 3. Do you have Messenger Plus installed?

If you still do have it installed, please uninstall it
completely from Start -> Control Panel -> Add/Remove
Programs and remove Messenger Plus and include the
Sponser program , restart your computer.

LOP do make a uninstaller on thier site which has removed
the infection for users in the past but it's not a common
practice to use tools to remove infections, created by
the people who created the infection. Can we really trust
a Lop uninstaller made by the people that stealthly
installed lop on the computer in the first place??
Obviously people's opinions on this will differ slightly,
but the majority of us will not use it.

If you have problems and dont want to use thier
uninstaller then use Hijack This

LOP variants can be difficult to remove without seeing a
Hijack This log because each install is different and
they make random names up so you can never predict what
the files will be called on a system, If needed download
Hijack This and post the log and I will let you know what
needs removing to get rid of this infection.

Save to desktop or c:drive

http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Choose to run a scan and save the log and then copy and
paste that back.

LOP also Lop likes to "write" to the Enumerating Task
Scheduler jobs.

That's easy enough to see in a Startuplist log from HJT.

To get a Startuplist log from HJT:

Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next
to "List also minor sections" (full) and "List empty
sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up.

Then copy and paste the notepad text that appears to this
topic or my email address.

Regards Andy

David · Sep 30, 2005

Andy
I have checked the add/remove programs - messenger plus!3
is not listed. A search locates it in the C/programs
file. But looking on the c/programs list it is not there??
Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 16:30:53, on 30/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Bin\hpoSTS08.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://web.jbdlwuxnazr.com/5nhulp6ynJi66ZQmU965YpuonUIZ5/G
QwvHJlZL3mj/nw3akEy_FEMBMS5SKmTaz.htm
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection
Wizard,ShellNext = http://global.acer.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-
D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-
8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program
Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program
Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [windows] iexplore.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [OnlineCdrom] C:\DOCUME~1\David\APPLIC~1
\ATOMDE~1\32third.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32
\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Full Java Client 3.1.0.246 -
http://chat-a2.wanadoo.co.uk/Java/cfs31246.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 -
http://chat-a1.wanadoo.co.uk/Java/cfs31248.cab
O16 - DPF: Yahoo! Checkers -
http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess -
http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Literati -
http://download.games.yahoo.com/games/clients/y/tt3_x.cab
O16 - DPF: Yahoo! Poker -
http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClien
t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B}
(Minesweeper Flags Class) -
http://messenger.zone.msn.com/binary/MineSweeper.cab31267.
cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D
ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN
Photo Upload Tool) -
http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
(WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en
/x86/client/wuweb_site.cab?1119273525046
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4}
(FileSharingCtrl Class) -
http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/
FileSharing/en/filesharingctrl.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} -
http://dm.screensavers.com/dm/installers/si/1/sinstaller.c
ab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429}
(ScorchPlugin Class) -
http://www.sibelius.com/download/software/win/ActiveXPlugi
n.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539}
(Crucial cpcScan) -
http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloa
der.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}
(ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643}
(ZoneChess Object) -
http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF}
(Solitaire Showdown Class) -
http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -
GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe
O23 - Service: ewido security suite control - ewido
networks - C:\Program Files\ewido\security
suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH -
C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32
\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone
Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

*********************************************************

And here is the start up list:

StartupList report, 30/09/2005, 16:36:07
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital
Imaging\Bin\hpoSTS08.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft
AntiSpyware\GIANTAntiSpywareMain.exe
C:\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\David\Start
Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start
Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
hpoddt01.exe.lnk = ?
hp psc 1000 series.lnk = ?
Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32
\NvCpl.dll,NvStartup
BluetoothAuthenticationAgent = rundll32.exe
bthprops.cpl,,BluetoothAuthenticationAgent
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -
atboottime
TkBellExe = "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
gcasServ = "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
WinampAgent = C:\Program Files\Winamp\winampa.exe
Zone Labs Client = C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

windows = iexplore.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Once

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Window Washer = C:\Program Files\Webroot\Washer\wwDisp.exe
OnlineCdrom = C:\DOCUME~1\David\APPLIC~1\ATOMDE~1
\32third.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Once

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Once
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Once
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{130BAEC2-FEBA-11D3-86EE-00C04F682D70}S06694] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe
OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe
OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32
\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32
\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook
Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe
setupapi,InstallHinfSection MarketplaceLinkInstall 896 %
systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook
Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection
C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon:
load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry
value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry
key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry
key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon:
load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry
value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry
key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry
key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry
value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry
value not found*
HKLM\..\Windows NT\CurrentVersion\Windows:
AppInit_DLLs=MsgPlusLoader.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

..lnk: HIDDEN! (arrow overlay: yes)
..pif: HIDDEN! (arrow overlay: yes)
..exe: not hidden
..com: not hidden
..bat: not hidden
..hta: not hidden
..scr: not hidden
..shs: HIDDEN!
..shb: not hidden
..vbs: not hidden
..vbe: not hidden
..wsh: not hidden
..scf: HIDDEN! (arrow overlay: NO!)
..url: HIDDEN! (arrow overlay: yes)
..js: not hidden
..jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0
\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-
6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {5C8B2A36-3DB1-42A4-A3CB-
D426709BBFEB}
(no name) - c:\program files\google\googletoolbar2.dll -
{AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200
series#1097605884.job
AE1C853490B339C0.job
87AB47859A2CE899.job
A2CF8D4D91243E6D.job
B470BC4095732C04.job
914E0EDF9A15A8EF.job

--------------------------------------------------

Enumerating Download Program Files:

[ChatSpace Full Java Client 3.1.0.246]
CODEBASE = http://chat-a2.wanadoo.co.uk/Java/cfs31246.cab
OSD = C:\WINDOWS\Downloaded Program Files\ChatSpace Full
Java Client 3.1.0.246.osd

[ChatSpace Full Java Client 3.1.0.248]
CODEBASE = http://chat-a1.wanadoo.co.uk/Java/cfs31248.cab
OSD = C:\WINDOWS\Downloaded Program Files\ChatSpace Full
Java Client 3.1.0.248.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML
Parser for Java.osd

[Yahoo! Checkers]
CODEBASE =
http://download.games.yahoo.com/games/clients/y/kt4_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo!
Checkers.osd

[Yahoo! Chess]
CODEBASE =
http://download.games.yahoo.com/games/clients/y/ct2_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Chess.osd

[Yahoo! Literati]
CODEBASE =
http://download.games.yahoo.com/games/clients/y/tt3_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo!
Literati.osd

[Yahoo! Poker]
CODEBASE =
http://download.games.yahoo.com/games/clients/y/pt1_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Poker.osd

[Yahoo! Pool 2]
CODEBASE =
http://download.games.yahoo.com/games/clients/y/pote_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Pool
2.osd

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\msgrchkr.dll
CODEBASE =
http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\MessengerStatsPAClient.dll
CODEBASE =
http://messenger.zone.msn.com/binary/MessengerStatsPAClien
t.cab31267.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32
\Macromed\Director\SWDIR.DLL
CODEBASE =
http://fpdownload.macromedia.com/get/shockwave/cabs/direct
or/sw.cab

[Windows Genuine Advantage]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.dll
CODEBASE = http://go.microsoft.com/fwlink/?
linkid=36467&clcid=0x409

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE =
http://protect.microsoft.com/security/protect/wsa/shared/C
AB/x86/msSecAdv.cab?1096397756562

[{26CBF141-7D0F-46E1-AA06-718958B6E4D2}]
CODEBASE =
http://download.ebay.com/turbo_lister/UK/install.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\minesweeper.dll
CODEBASE =
http://messenger.zone.msn.com/binary/MineSweeper.cab31267.
cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINDOWS\system32\Cult3D\IECult.dll
CODEBASE = http://www.cult3d.com/download/cult.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE =
http://office.microsoft.com/officeupdate/content/opuc3.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\MsnPUpld.dll
CODEBASE =
http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE =
http://update.microsoft.com/windowsupdate/v6/V5Controls/en
/x86/client/wuweb_site.cab?1119273525046

[FileSharingCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\fsmsngr-en.dll
CODEBASE =
http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/
FileSharing/en/filesharingctrl.cab

[{88D758A3-D33B-45FD-91E3-67749B4057FA}]
CODEBASE =
http://dm.screensavers.com/dm/installers/si/1/sinstaller.c
ab

[Java Plug-in 1.4.1]
InProcServer32 = C:\Program Files\Java\j2re1.4.1
\bin\npjpi141.dll
CODEBASE =
http://java.sun.com/products/plugin/1.4/jinstall-14-
windows-i586.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\messengerstatsclient.dll
CODEBASE =
http://messenger.zone.msn.com/binary/MessengerStatsClient.
cab31267.cab

[ScorchPlugin Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\NPSibelius.dll
CODEBASE =
http://www.sibelius.com/download/software/win/ActiveXPlugi
n.cab

[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\MsnMessengerSetupDownloader.ocx
CODEBASE =
http://messenger.msn.com/download/MsnMessengerSetupDownloa
der.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\ZIntro.ocx
CODEBASE =
http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab

[Java Plug-in 1.4.1]
InProcServer32 = C:\Program Files\Java\j2re1.4.1
\bin\npjpi141.dll
CODEBASE =
http://java.sun.com/products/plugin/autodl/jinstall-1_4_1-
windows-i586.cab

[Java Plug-in 1.4.2_01]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_01
\bin\npjpi142_01.dll
CODEBASE =
http://java.sun.com/products/plugin/autodl/jinstall-142-
windows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32
\macromed\flash\Flash.ocx
CODEBASE =
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab

[ZoneChess Object]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\Chess.ocx
CODEBASE =
http://messenger.zone.msn.com/binary/Chess.cab31267.cab

[Solitaire Showdown Class]
InProcServer32 = C:\WINDOWS\Downloaded Program
Files\solitaireshowdown.dll
CODEBASE =
http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
31267.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\system32\wshbth.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32
\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32
\drivers\afd.sys (system)
SpeedTouch USB ADSL PPP Networking Driver (NDISWAN):
system32\DRIVERS\alcan5wn.sys (manual start)
SpeedTouch ADSL Modem ATM Transport: system32
\DRIVERS\alcaudsl.sys (manual start)
Service for WDM 3D Audio Driver: system32
\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32
\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k
LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32
\alg.exe (manual start)
Application Management: %SystemRoot%\system32
\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys
(manual start)
ASP.NET State Service: %SystemRoot%
\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
(manual start)
RAS Asynchronous Media Driver: System32
\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32
\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys
(manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual
start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVGFRE~1
\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys
(system)
AVG7 Wrap Driver: \SystemRoot\System32
\Drivers\avg7rsw.sys (system)
AVG7 Rezident Driver: \SystemRoot\System32
\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVGFRE~1
\avgupsvc.exe (autostart)
AVG Network Redirector: \??\C:\WINDOWS\System32
\Drivers\avgtdi.sys (autostart)
Background Intelligent Transfer Service: %SystemRoot%
\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Bluetooth Request Block Driver: system32
\DRIVERS\BthEnum.sys (manual start)
Bluetooth Serial Communications Driver: system32
\DRIVERS\bthmodem.sys (manual start)
Bluetooth Device (Personal Area Network): system32
\DRIVERS\bthpan.sys (manual start)
Bluetooth Port Driver: System32\Drivers\BTHport.sys
(manual start)
Bluetooth Support Service: %SystemRoot%\system32
\svchost.exe -k bthsvcs (autostart)
Bluetooth Radio USB Driver: System32\Drivers\BTHUSB.sys
(manual start)
C4C_BSC2: System32\DRIVERS\C4C_BSC2.sys (manual start)
Closed Caption Decoder: system32\DRIVERS\CCDECODE.sys
(manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Arrowkey Device Access: \??\C:\Program
Files\321Studios\Shared\CDRPDACC.SYS (autostart)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual
start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\System32
\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-
00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32
\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32
\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%
\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -
k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32
\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k
NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32
\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32
\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k
netsvcs (manual start)
ewido security suite control: C:\Program
Files\ewido\security suite\ewidoctrl.exe (autostart)
Fallback: System32\DRIVERS\C4C_FALL.sys (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32
\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys
(manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual
start)
FltMgr: system32\drivers\fltmgr.sys (system)
Fsks: System32\DRIVERS\C4C_FSKS.sys (autostart)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys
(system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys
(manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys
(manual start)
IEEE-1284.4 Driver HPZid412: system32
\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: system32
\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: system32
\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter
(manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32
\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys
(system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32
\imapi.exe (manual start)
iMSPCLOj: \??\C:\DOCUME~1\Ricky\LOCALS~1
\Temp\iMSPCLOj.sys (manual start)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys
(manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys
(manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys
(manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys
(manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys
(manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys
(system)
K56: System32\DRIVERS\C4C_K56K.sys (autostart)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys
(system)
Keyboard HID Driver: system32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32
\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -
k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs
(disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32
\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual
start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys
(manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32
\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V
(manual start)
Microsoft Streaming Service Proxy: system32
\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32
\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32
\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32
\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32
\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys
(manual start)
Microsoft TV/Video Connection: system32
\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32
\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys
(manual start)
Remote Access NDIS WAN Driver: System32
\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe
(disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k
netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual
start)
Network Location Awareness (NLA): %SystemRoot%\System32
\svchost.exe -k netsvcs (manual start)
Upper Class Filter Driver: System32\DRIVERS\NTIDrvr.sys
(manual start)
NT LM Security Support Provider: %SystemRoot%\System32
\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k
netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32
\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys
(manual start)
IPX Traffic Forwarder Driver: System32
\DRIVERS\nwlnkfwd.sys (manual start)
O&O Defrag: C:\WINDOWS\system32\oodag.exe (autostart)
VIA OHCI Compliant IEEE 1394 Host Controller: System32
\DRIVERS\ohci1394.sys (system)
Dual Mode USB Camera Plus: System32\Drivers\omcamvid.sys
(manual start)
Parallel port driver: System32\DRIVERS\parport.sys
(manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Low level access layer for CD devices: System32
\Drivers\Pcouffin.sys (manual start)
Plug and Play: %SystemRoot%\system32\services.exe
(autostart)
Pml Driver HPZ12: C:\WINDOWS\system32\HPZipm12.exe
(manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe
(autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual
start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe
(autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual
start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys
(manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32
\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%
\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual
start)
Remote Access Connection Manager: %SystemRoot%\System32
\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys
(manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual
start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32
\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32
\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32
\svchost.exe -k netsvcs (disabled)
Bluetooth Device (RFCOMM Protocol TDI): system32
\DRIVERS\rfcomm.sys (manual start)
Rksample: System32\DRIVERS\C4C_SAMP.sys (manual start)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32
\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32
\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32
\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual
start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
System Event Notification: %SystemRoot%\system32
\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys
(manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %
SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32
\svchost.exe -k netsvcs (autostart)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiS PCI Fast Ethernet Adapter Driver: System32
\DRIVERS\sisnic.sys (manual start)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual
start)
SoftFax: System32\DRIVERS\C4C_FAXX.sys (autostart)
Microsoft Kernel Audio Splitter: system32
\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe
(autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys
(system)
System Restore Service: %SystemRoot%\System32
\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32
\svchost.exe -k LocalService (manual start)
Still Serial Digital Camera Driver: system32
\DRIVERS\serscan.sys (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32
\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual
start)
Microsoft Kernel GS Wavetable Synthesizer: system32
\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32
\dllhost.exe /Processid:{BB487B1C-0F31-4663-9CB9-
DE60DB641E54} (manual start)
Microsoft Kernel System Audio Device: system32
\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32
\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs
(manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys
(system)
Terminal Device Driver: System32\DRIVERS\termdd.sys
(system)
Terminal Services: %SystemRoot%\System32\svchost -k
DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs
(autostart)
Tones: System32\DRIVERS\C4C_TONE.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32
\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32
\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys
(manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32
\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32
\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32
\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport
Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual
start)
Microsoft USB Open Host Controller Miniport Driver:
System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32
\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual
start)
Motorola USB Modem Driver: system32\DRIVERS\usbser.sys
(manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS
(manual start)
V124: System32\DRIVERS\C4C_V124.sys (autostart)
VGA Display Controller.: \SystemRoot\System32
\drivers\vga.sys (system)
vsdatant: System32\vsdatant.sys (system)
TrueVector Internet Monitor: C:\WINDOWS\system32
\ZONELABS\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe
(manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys
(manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32
\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k
LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32
\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%
\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32
\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k
netsvcs (autostart)
World Standard Teletext Codec: system32
\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k
netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32
\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32
\svchost.exe -k netsvcs (manual start)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Ex
plorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Ex
plorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 40,076 bytes
Report generated in 0.078 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious
data
/full - to include several rarely-important
sections
/force9x - to include Win9x-only startups even if
running on WinNT
/forcent - to include WinNT-only startups even if
running on Win9x
/forceall - to include all Win9x and WinNT startups,
regardless of platform
/history - to list version history only

Thanks for your help

David

AndyManchesta · Sep 30, 2005

Hi David

The below post is blank ? I suspect its MS who have
removed it from the http side because I asked you to post
a Hijack This Log, Its happens alot on here so Maybe they
dont like the malware they cannot remove or detect to be
shown to everyone else

Im at work but will be finished in about a hour, its
5.30pm here UK so will try a newsreader to view your post
when I get in as they are usually still viewable through
them.

At the moment I cannot see your reply at all so Im not
sure if the problem is solved but with it being removed
Im guessing you have post a Hijack Log so will try view
it and let you know whats causing the problems.

Andy

AndyManchesta · Sep 30, 2005

Hi Again

I was able to read your Hijack Log by using the
newsreader and it is the LOP infection caused by
MessengerPlus3, I've Started an area on my forum for
Hijack This and posted your log on there.

Its http://www.andymanchesta.com/ then press Forum Link 1
or 2 in the menu and goto the Hijack This topic

Thanks Andy

Security Center question	4	Dec 21, 2005
MSAS Initial setup wizard runs every time program is launched	3	Oct 28, 2005
elite bar removal AND cannot update definitions	4	May 18, 2005
Browser Hijack	1	Feb 11, 2005
Search Bar appears everytime I open IE	1	Dec 29, 2004
jlijbc.exe not being detected by microsoft spyware.	2	Jan 7, 2005
I'm In A Mess	10	Aug 7, 2008
Pop Sound at random intervals on desktop or IE PLEASE HELP!!	2	Feb 15, 2007

Search bar hijack

David

Andre Da Costa

Guest

AndyManchesta

David

AndyManchesta

AndyManchesta

Ask a Question

Similar Threads