can't remove abetterinternet spyware - please help!

[steph]

Hi

I have the latest updated versions of Ad Aware, Spybot, and Spy Hunter, as
well as
Hijack This.

Using combinations of these programs, most of the "ABetterInternet" direct
revenue spyware has been removed already, (it creates exe's like
auroreco (which are named with combinations of 6 random letters, and when
one is stopped another copy simply is created and begins in its place) and
one
titled Buddy (but named a jumble of letters), as well
as Nail.exe) BUT some of these files keep coming back. Internet Explorer
seems to be
hardest hit with popups everywhere and green fake "links" throughout webpage
text... also a random service keeps trying to start and being refused, with
the result that explorer eventually crashes... and I get constant hassle
from Zone Alarm telling me abeterinternet.com utility is trying to access
the internet (no I don't let it)

Nail.exe has been removed twice and the 'Buddy' exe has been deleted many
times, but something is continuing to create these files and run processes
which I can't trace. All 3 anti-spyware applications are coming up clean
even with deep scanning. I have googled the topic but have come up against
many different suggestions, none of which seem to work. I really can't
afford the time to format and reinstall my drive, there are about 20 gigs of
apps and most of them require custom settings to be applied.

Please Help!

Below is my Hijack This logfile from this morning if that is any help to
some kind technician...

Logfile of HijackThis v1.99.1
Scan saved at 11:15:19 a.m., on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\PROGRA~1\YourSoft\HYPERC~1\HyperCalendar.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\gah95on6.exe
c:\windows\system32\nludfcn.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.2.3.2\InstallStub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
F:\_Program Files\AClock\aclock.exe
F:\_Program Files\ATnotes\ATnotes.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\Steph\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Steph\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Outlook Express\msimn.exe
F:\_Program Files\Hijack This\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://approach.co.nz"); (C:\Documents and Settings\Steph\Application
Data\Mozilla\Profiles\default\k6agpcsz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Steph\Application
Data\Mozilla\Profiles\default\k6agpcsz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft -
{49E0E0F0-5C30-11D4-945D-000000000003} -
C:\PROGRA~1\ashampoo\ASHAMP~3\PopUp.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} -
C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} -
C:\WINDOWS\system32\nsq156.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program
Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version
Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [HyperCalendar 2]
C:\PROGRA~1\YourSoft\HYPERC~1\HyperCalendar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS
Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software
Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [stknxek] c:\windows\system32\nludfcn.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [TimeSled] "C:\Program Files\Time Sled\timesled.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program
Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program
Files\Plaxo\2.2.3.2\InstallStub.exe -a
O4 - HKCU\..\Run: [AllToTray] C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - Startup: aclock.lnk = F:\_Program Files\AClock\aclock.exe
O4 - Startup: ATnotes.lnk = F:\_Program Files\ATnotes\ATnotes.exe
O4 - Startup: MsgPlus.lnk = C:\Program Files\Messenger Plus! 2\MsgPlus.exe
O4 - Startup: MSN.lnk = D:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Startup: SnagIt 6.lnk = F:\Program Files\TechSmith\SnagIt
6\SnagIt32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: ZoneAlarm Pro.lnk = F:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk =
C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture -
res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} -
C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{41EBFEDF-9109-4C99-B106-B95AF69EEC29}:
NameServer = 202.27.158.40 202.27.156.72
O17 -
HKLM\System\CS1\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O17 -
HKLM\System\CS2\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe
Version Cue\service\VersionCue.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. -
C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program
Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program
Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe
O23 - Service: TabletService - Wacom Technology, Corp. -
C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

[Malke]

Hi

I have the latest updated versions of Ad Aware, Spybot, and Spy
Hunter, as well as
Hijack This.

Using combinations of these programs, most of the "ABetterInternet"
direct revenue spyware has been removed already, (it creates exe's
like auroreco (which are named with combinations of 6 random letters,
and when one is stopped another copy simply is created and begins in
its place) and one
titled Buddy (but named a jumble of letters), as well
as Nail.exe) BUT some of these files keep coming back. Internet
Explorer seems to be
hardest hit with popups everywhere and green fake "links" throughout
webpage text... also a random service keeps trying to start and being
refused, with the result that explorer eventually crashes... and I get
constant hassle from Zone Alarm telling me abeterinternet.com utility
is trying to access the internet (no I don't let it)

Nail.exe has been removed twice and the 'Buddy' exe has been deleted
many times, but something is continuing to create these files and run
processes which I can't trace. All 3 anti-spyware applications are
coming up clean even with deep scanning. I have googled the topic but
have come up against many different suggestions, none of which seem to
work. I really can't afford the time to format and reinstall my drive,
there are about 20 gigs of apps and most of them require custom
settings to be applied.

Please Help!

Below is my Hijack This logfile from this morning if that is any help
to some kind technician...

Please do not post HJT logs on the MS newsgroups. Rather, post to one of
the specialized forums which I will give you. I particularly recommend
the AumHa forum. There are also specialized tools for removing this
pest, and the gurus at AumHa (or the other places if you prefer) will
guide you through this.

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

Malke

 

[steph]

Please do not post HJT logs on the MS newsgroups. Rather, post to one of
the specialized forums which I will give you. I particularly recommend
the AumHa forum. There are also specialized tools for removing this
pest, and the gurus at AumHa (or the other places if you prefer) will
guide you through this.

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
http://www.spywareinfo.com/forums/

Malke
--
MS MVP - Windows Shell/User
www.elephantboycomputers.com
In Memoriam - MVP Alex Nichol
The world is diminished without him.

hi - sorry for the breach in protocol - im not a heavy newsgroup user so
didnt know
thanks very much for all the links, will check them out
steph

 

[Kelly]

Hi Steph,

In most cases without using third party, this takes three steps.

1. Start/Run/Regedit

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Gain the exact path.
Note: Save these two to regedit favorites.

2. Start/Run/Msconfig/Startup

Gain the exact path.

3. Follow the path via Windows Explorer.

Leave/have all three windows opened, now open the Task Manager.

Once knowing the exact path, end the process via the Task Manager, then
delete the entry via Windows Explorer. From there, delete the run command
from both regedit and msconfig. With regedit still open, hit F5. If it
replaces itself, you didn't do it in a timely manner or you didn't follow
the exact placement path.

Note: In some cases, depending, you will be allowed to rename the .exe via
safe mode and then delete.

As per posting logfiles, next time try here:

Browser Hijack and Malware Removal Forums
http://forums.net-integration.net/index.php?c=19

How to obtain the most effective support
http://www.net-integration.net/tools/procedure.html

Spyware, Thiefware, Browser Hijackers, etc. Parasites Forum
http://forums.spywareinfo.com/index.php?s=7dc481729338294fb5d64090b77ef364&showtopic=9882

Good luck and keep us posted.


--
In memory of our dear friend, MVP Alex Nichol: http://www.dts-l.org/

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com

Hi

I have the latest updated versions of Ad Aware, Spybot, and Spy Hunter, as
well as
Hijack This.

Using combinations of these programs, most of the "ABetterInternet" direct
revenue spyware has been removed already, (it creates exe's like
auroreco (which are named with combinations of 6 random letters, and when
one is stopped another copy simply is created and begins in its place) and
one
titled Buddy (but named a jumble of letters), as well
as Nail.exe) BUT some of these files keep coming back. Internet Explorer
seems to be
hardest hit with popups everywhere and green fake "links" throughout
webpage
text... also a random service keeps trying to start and being refused,
with
the result that explorer eventually crashes... and I get constant hassle
from Zone Alarm telling me abeterinternet.com utility is trying to access
the internet (no I don't let it)

Nail.exe has been removed twice and the 'Buddy' exe has been deleted many
times, but something is continuing to create these files and run processes
which I can't trace. All 3 anti-spyware applications are coming up clean
even with deep scanning. I have googled the topic but have come up against
many different suggestions, none of which seem to work. I really can't
afford the time to format and reinstall my drive, there are about 20 gigs
of
apps and most of them require custom settings to be applied.

Please Help!

Below is my Hijack This logfile from this morning if that is any help to
some kind technician...

Logfile of HijackThis v1.99.1
Scan saved at 11:15:19 a.m., on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\PROGRA~1\YourSoft\HYPERC~1\HyperCalendar.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\gah95on6.exe
c:\windows\system32\nludfcn.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Plaxo\2.2.3.2\InstallStub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
F:\_Program Files\AClock\aclock.exe
F:\_Program Files\ATnotes\ATnotes.exe
C:\Program Files\AnalogX\POW\pow.exe
C:\Program Files\TechSmith\SnagIt 6\SnagIt32.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\DOCUME~1\Steph\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Steph\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Outlook Express\msimn.exe
F:\_Program Files\Hijack This\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://approach.co.nz"); (C:\Documents and Settings\Steph\Application
Data\Mozilla\Profiles\default\k6agpcsz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Steph\Application
Data\Mozilla\Profiles\default\k6agpcsz.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft -
{49E0E0F0-5C30-11D4-945D-000000000003} -
C:\PROGRA~1\ashampoo\ASHAMP~3\PopUp.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} -
C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} -
C:\WINDOWS\system32\nsq156.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program
files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program
Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version
Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [HyperCalendar 2]
C:\PROGRA~1\YourSoft\HYPERC~1\HyperCalendar.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS
Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software
Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [stknxek] c:\windows\system32\nludfcn.exe
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [TimeSled] "C:\Program Files\Time Sled\timesled.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus!
3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program
Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program
Files\Plaxo\2.2.3.2\InstallStub.exe -a
O4 - HKCU\..\Run: [AllToTray] C:\PROGRA~1\ALLTOT~1\ALLTOT~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe"
/background
O4 - Startup: aclock.lnk = F:\_Program Files\AClock\aclock.exe
O4 - Startup: ATnotes.lnk = F:\_Program Files\ATnotes\ATnotes.exe
O4 - Startup: MsgPlus.lnk = C:\Program Files\Messenger Plus! 2\MsgPlus.exe
O4 - Startup: MSN.lnk = D:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Startup: POW!.lnk = C:\Program Files\AnalogX\POW\pow.exe
O4 - Startup: SnagIt 6.lnk = F:\Program Files\TechSmith\SnagIt
6\SnagIt32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: ZoneAlarm Pro.lnk = F:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk =
C:\WINDOWS\system32\Wtablet\TabUserW.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone
Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture -
res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} -
C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O17 -
HKLM\System\CCS\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O17 -
HKLM\System\CCS\Services\Tcpip\..\{41EBFEDF-9109-4C99-B106-B95AF69EEC29}:
NameServer = 202.27.158.40 202.27.156.72
O17 -
HKLM\System\CS1\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O17 -
HKLM\System\CS2\Services\Tcpip\..\{07C1D9C9-4025-436E-A46C-2A990B8EE573}:
NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common
Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program
Files\Adobe\Adobe
Version Cue\service\VersionCue.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program
Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. -
C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program
Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) -
Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program
Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -
C:\WINDOWS\svcproc.exe
O23 - Service: TabletService - Wacom Technology, Corp. -
C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe