Jump to content


Photo

System32 Problems


  • This topic is locked This topic is locked
9 replies to this topic

#1 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 12:36 PM

For almost a year, my System32 folder opens upon WindowsXP startup, then when I click it to close it, it closes for a second then reappears. Along with this problem, if I click on any icons in any folder (to open another subfolder) it reopens in a new window, leaving tons of open windows on my desktop....never happened before. I haven't changed any of the configurations on my computer.
Now when I startup, another error comes up saying: error loading C:\WINDOWS\System32\bridge.dll the specified module could not be found??????
Here is my HijackThis log, what should I delete, how do I fix my computer? I am sure it has hundreds of viruses as well, is there any good freeware to download? :scratchhead:


Logfile of HijackThis v1.98.0
Scan saved at 1:18:20 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\America Online 9.0i\aoltray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\webshots.scr
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.....asp?keyphrase=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\System32\cdsm32.dll
O1 - Hosts: 217.116.231.7 aimtoday.aol.com127.0.0.1 media.altnet.com
O1 - Hosts: 66.221.79.6 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: nbkpcqjrnzsqpnypemjm - {76c13305-dd99-4aba-aadb-600a414aec03} - C:\DOCUME~1\REMICO~1\APPLIC~1\dtlgroprou.dll
O2 - BHO: (no name) - {86D92536-FC08-4CD1-B43D-AF28E25429C9} - C:\WINDOWS\System32\authyz.dll (file missing)
O2 - BHO: (no name) - {FF54E62B-007E-46A8-A673-1D8AABDD37E7} - C:\WINDOWS\system32\qrxdfxkc.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...p_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com...ges/header.jpg" width="605" height="79" usemap="#FPMap0"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...p_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com...ges/header.jpg" width="605" height="79" usemap="#FPMap0"></td>
O4 - HKLM\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com...ages/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com...s/bg_main.gif">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...t_img_grey.gif" width="172" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...t_img_grey.gif" width="172" height="6"></p>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...es/arr_fav.gif" width="4" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...es/arr_fav.gif" width="4" height="6"> <b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Casino">Online Casino</a></b>] c:\WINDOWS\System32\ <a href="http://search.lop.co... Casino">Online Casino</a></b><br>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...s/dots_fav.gif" width="154" height="1" vspace="2">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...s/dots_fav.gif" width="154" height="1" vspace="2"><br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Dating">Online Dating</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co... Dating">Online Dating</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ht Loss">Weight Loss</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...ht Loss">Weight Loss</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rtridge">Inkjet Cartridge</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...rtridge">Inkjet Cartridge</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...h Advance">Cash Advance</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...h Advance">Cash Advance</a></b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...unity">Business Opportunity</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...unity">Business Opportunity</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Hosting">Domain Hosting</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...Hosting">Domain Hosting</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...t Cards">Credit Cards</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...t Cards">Credit Cards</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Distance">Long Distance</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co... Distance">Long Distance</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ravel">Discount Travel</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...ravel">Discount Travel</a></b>
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;</td>
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...earch_topl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...earch_topl.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...ges/spacer.gif" width="1" height="1"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...ges/spacer.gif" width="1" height="1"></td>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...earch_topr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...earch_topr.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKLM\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKLM\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKLM\..\Run: [ <INPUT type=image border="0" src="http://image.lop.com...but_search.gif" width="80" height="22"></a><] c:\WINDOWS\System32\ <INPUT type=image border="0" src="http://image.lop.com...but_search.gif" width="80" height="22"></a></td>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...earch_botl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...earch_botl.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...earch_botr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...earch_botr.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rtainment</a><] c:\WINDOWS\System32\ <a href="http://search.lop.co...inment</a></h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...page&s=Computer Games">Computer Games</] c:\WINDOWS\System32\ <a href="http://search.lop.co...page&s=Computer Games">Computer Games</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...saging">Instant Messaging</] c:\WINDOWS\System32\ <a href="http://search.lop.co...saging">Instant Messaging</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ducation">Adult Education</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ducation">Adult Education</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...tridge">Printer Cartridge<] c:\WINDOWS\System32\ <a href="http://search.lop.co...tridge">Printer Cartridge</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Hosting">Domain Hosting</] c:\WINDOWS\System32\ <a href="http://search.lop.co...Hosting">Domain Hosting</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...olidation">Debt Consolidation</] c:\WINDOWS\System32\ <a href="http://search.lop.co...olidation">Debt Consolidation</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Business">Home Business</] c:\WINDOWS\System32\ <a href="http://search.lop.co... Business">Home Business</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...eting">Internet Marketing</] c:\WINDOWS\System32\ <a href="http://search.lop.co...eting">Internet Marketing</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Distance">Long Distance</] c:\WINDOWS\System32\ <a href="http://search.lop.co... Distance">Long Distance</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Cards">Business Cards</] c:\WINDOWS\System32\ <a href="http://search.lop.co...Cards">Business Cards</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...From Home">Work From Home</] c:\WINDOWS\System32\ <a href="http://search.lop.co...From Home">Work From Home</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ncorporation</] c:\WINDOWS\System32\ <a href="http://search.lop.co...corporation</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...unity">Business Opp.</] c:\WINDOWS\System32\ <a href="http://search.lop.co...unity">Business Opp.</a>..
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ite Design">Web Site Design</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ite Design">Web Site Design</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...oney">Investing Money</] c:\WINDOWS\System32\ <a href="http://search.lop.co...oney">Investing Money</a>,
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com.../dots_main.gif" width="1" height="450"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com.../dots_main.gif" width="1" height="450"></td>
O4 - HKLM\..\Run: [ <h1><a href="http://search.lop.co... Casino">Online Casino</a><] c:\WINDOWS\System32\ <h1><a href="http://search.lop.co... Casino">Online Casino</a></h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Betting">Sports Betting</] c:\WINDOWS\System32\ <a href="http://search.lop.co...Betting">Sports Betting</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Casino">Online Casino</] c:\WINDOWS\System32\ <a href="http://search.lop.co... Casino">Online Casino</a>,
O4 - HKLM\..\Run: [ <h1><a href="http://search.lop.co...=Travel">Travel Services</a><] c:\WINDOWS\System32\ <h1><a href="http://search.lop.co...=Travel">Travel Services</a></h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ravel">Discount Travel</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ravel">Discount Travel</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rning">Distance Learning</] c:\WINDOWS\System32\ <a href="http://search.lop.co...rning">Distance Learning</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...hools">Business Schools</] c:\WINDOWS\System32\ <a href="http://search.lop.co...hools">Business Schools</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ining">Computer Training</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ining">Computer Training</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...nline">Pharmacy Online</a>...] c:\WINDOWS\System32\ <a href="http://search.lop.co...nline">Pharmacy Online</a>...<br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co... Gift">Birthday Gift</] c:\WINDOWS\System32\ <a href="http://search.lop.co... Gift">Birthday Gift</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...provement">Home Improvement</] c:\WINDOWS\System32\ <a href="http://search.lop.co...provement">Home Improvement</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...esign">Interior Design</] c:\WINDOWS\System32\ <a href="http://search.lop.co...esign">Interior Design</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...e Theater">Home theater</a>...] c:\WINDOWS\System32\ <a href="http://search.lop.co...e Theater">Home theater</a>...<br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Resource">Human Resource</] c:\WINDOWS\System32\ <a href="http://search.lop.co...Resource">Human Resource</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Services">Legal Services</] c:\WINDOWS\System32\ <a href="http://search.lop.co...Services">Legal Services</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rtising">Online Advertising</a>...] c:\WINDOWS\System32\ <a href="http://search.lop.co...rtising">Online Advertising</a>...<br>
O4 - HKLM\..\Run: [ <td width="777" background="http://image.lop.com.../bg_bottom.gif" align="center" valign="top" height="] c:\WINDOWS\System32\ <td width="777" background="http://image.lop.com.../bg_bottom.gif" align="center" valign="top" height="55">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...links_left.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...links_left.gif" width="36" height="30"></td>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com...ttom_links.gif" style="padding-top: 4" align="center" valign="t] c:\WINDOWS\System32\ <td background="http://image.lop.com...ttom_links.gif" style="padding-top: 4" align="center" valign="top">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com...inks_right.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com...inks_right.gif" width="36" height="30"></td>
O4 - HKLM\..\Run: [4MHWDQL4DQELJK] C:\WINDOWS\System32\Gbi1r6.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HEAD>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKLM\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKLM\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKLM\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKLM\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKLM\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKLM\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKLM\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKLM\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKLM\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKLM\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKLM\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKLM\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKLM\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKLM\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKLM\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKLM\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKLM\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKLM\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKLM\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKLM\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKLM\..\Run: [<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.i] c:\WINDOWS\System32\<link rel="SHORTCUT ICON" href="http://www.lop.com/f...m/favicon.ico">
O4 - HKLM\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKLM\..\Run: [<script src="http://rub.to/info.j...fo.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.j...o.js"></script>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ge&s=Adult">Ad] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=Adult">Adult
O4 - HKLM\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...=Diet Pills">D] c:\WINDOWS\System32\ <a href="http://search.lop.co...iet Pills">Diet
O4 - HKLM\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...&s=Hosting">Web Hosting</a></b>] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=Hosting">Web Hosting</a></b><br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...me Business">H] c:\WINDOWS\System32\ <a href="http://search.lop.co... Business">Home
O4 - HKLM\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...tivirus</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...tivirus</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...>Travel</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...>Travel</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...">Bingo</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...">Bingo</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ge&s=Hosting">] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=Hosting">Web
O4 - HKLM\..\Run: [ Hosting</a></b> ] c:\WINDOWS\System32\ Hosting</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...s=Home Loan">H] c:\WINDOWS\System32\ <a href="http://search.lop.co...Home Loan">Home
O4 - HKLM\..\Run: [ Loan</a></b> ] c:\WINDOWS\System32\ Loan</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Jackpot</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...Jackpot</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Home">Home</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...e">Home</a></b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...>Viagra</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...>Viagra</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...nternet</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...nternet</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...mputers</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...mputers</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ome Finance">H] c:\WINDOWS\System32\ <a href="http://search.lop.co...e Finance">Home
O4 - HKLM\..\Run: [ Finance</a></b> ] c:\WINDOWS\System32\ Finance</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...">Gifts</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...">Gifts</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...p3">MP3</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...p3">MP3</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...">Business</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...usiness</a></b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...">Music</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...">Music</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Cruises</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...Cruises</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...mes">Games</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...">Games</a></b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rsonals</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.co...rsonals</a></b> <br>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...s=DVD">DVD</a>] c:\WINDOWS\System32\ <a href="http://search.lop.co...VD">DVD</a></b>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...opping</a></b>] c:\WINDOWS\System32\ <a href="http://search.lop.co...ing</a></b><br>
O4 - HKLM\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKLM\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKLM\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKLM\..\Run: [<FORM action=http://search.lop.com/search/search.cgi method=] c:\WINDOWS\System32\<FORM action=http://search.lop.com/search/search.cgi method=get>
O4 - HKLM\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKLM\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...&s=Mp3">Mp3</a] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=Mp3">Mp3</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ge&s=DVD">DVD<] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=DVD">DVD</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...age&s=Tv">TV</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ge&s=Tv">TV</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ers">Flowers</] c:\WINDOWS\System32\ <a href="http://search.lop.co...rs">Flowers</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ree Stuff">Free Stuff</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ree Stuff">Free Stuff</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ng">Shopping</] c:\WINDOWS\System32\ <a href="http://search.lop.co...g">Shopping</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...s=Chat">Chat</] c:\WINDOWS\System32\ <a href="http://search.lop.co...=Chat">Chat</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...w Pages">Yellow Pages</] c:\WINDOWS\System32\ <a href="http://search.lop.co...w Pages">Yellow Pages</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Jokes">Jokes</] c:\WINDOWS\System32\ <a href="http://search.lop.co...okes">Jokes</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...>Tickets</a>... ] c:\WINDOWS\System32\ <a href="http://search.lop.co...>Tickets</a>... <br>
O4 - HKLM\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...lt">Adult</a><] c:\WINDOWS\System32\ <a href="http://search.lop.co...>Adult</a></h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ult Chat">Adult Chat</] c:\WINDOWS\System32\ <a href="http://search.lop.co...ult Chat">Adult Chat</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...s=Love">Love</] c:\WINDOWS\System32\ <a href="http://search.lop.co...=Love">Love</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...lt Dvd">DVDs</] c:\WINDOWS\System32\ <a href="http://search.lop.co...t Dvd">DVDs</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...ian">Lesbian</] c:\WINDOWS\System32\ <a href="http://search.lop.co...an">Lesbian</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...agra">Viagra</] c:\WINDOWS\System32\ <a href="http://search.lop.co...gra">Viagra</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...re">Hardcore</] c:\WINDOWS\System32\ <a href="http://search.lop.co...e">Hardcore</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...rie">Lingerie<] c:\WINDOWS\System32\ <a href="http://search.lop.co...e">Lingerie</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...lt Video">Adult Video</] c:\WINDOWS\System32\ <a href="http://search.lop.co...lt Video">Adult Video</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...orts">Escorts<] c:\WINDOWS\System32\ <a href="http://search.lop.co...ts">Escorts</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Matchmaking</a] c:\WINDOWS\System32\ <a href="http://search.lop.co...chmaking</a>...
O4 - HKLM\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...Computers</a><] c:\WINDOWS\System32\ <a href="http://search.lop.co...puters</a></h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...&s=Hosting">Web Hosting<] c:\WINDOWS\System32\ <a href="http://search.lop.co...&s=Hosting">Web Hosting</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...top">Laptops</] c:\WINDOWS\System32\ <a href="http://search.lop.co...op">Laptops</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...re">Software</] c:\WINDOWS\System32\ <a href="http://search.lop.co...e">Software</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...s=Xbox">Xbox</] c:\WINDOWS\System32\ <a href="http://search.lop.co...=Xbox">Xbox</a>,
O4 - HKLM\..\Run: [ <a href="http://search.lop.co...be">Gamecube</] c:\WINDOWS\System32\ <a href="http://search.lop.c

Edited by XF4Evr, 05 July 2004 - 01:11 PM.


#2 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 01:48 PM

After deletion of .lop's (all 398 of them) and 1 mywebsearch, this is the new log. Should I restart? Will I notice any difference??? The worldwinner...I don't need any of that right?


Logfile of HijackThis v1.98.0
Scan saved at 2:44:55 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\America Online 9.0i\aoltray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com127.0.0.1 media.altnet.com
O1 - Hosts: 66.221.79.6 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: nbkpcqjrnzsqpnypemjm - {76c13305-dd99-4aba-aadb-600a414aec03} - C:\DOCUME~1\REMICO~1\APPLIC~1\dtlgroprou.dll
O2 - BHO: (no name) - {86D92536-FC08-4CD1-B43D-AF28E25429C9} - C:\WINDOWS\System32\authyz.dll (file missing)
O2 - BHO: (no name) - {FF54E62B-007E-46A8-A673-1D8AABDD37E7} - C:\WINDOWS\system32\qrxdfxkc.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKLM\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKLM\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKLM\..\Run: [4MHWDQL4DQELJK] C:\WINDOWS\System32\Gbi1r6.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HEAD>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKLM\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKLM\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKLM\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKLM\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKLM\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKLM\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKLM\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKLM\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKLM\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKLM\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKLM\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKLM\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKLM\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKLM\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKLM\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKLM\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKLM\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKLM\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKLM\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKLM\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKLM\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKLM\..\Run: [<script src="http://rub.to/info.j...fo.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.j...o.js"></script>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKLM\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKLM\..\Run: [ Hosting</a></b> ] c:\WINDOWS\System32\ Hosting</a></b> <br>
O4 - HKLM\..\Run: [ Loan</a></b> ] c:\WINDOWS\System32\ Loan</a></b> <br>
O4 - HKLM\..\Run: [ Finance</a></b> ] c:\WINDOWS\System32\ Finance</a></b> <br>
O4 - HKLM\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKLM\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKLM\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKLM\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKLM\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKLM\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKLM\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKLM\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKLM\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKLM\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKLM\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKLM\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKLM\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com...n.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com...if">&nbsp;</td>
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKLM\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKLM\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKLM\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKLM\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKLM\..\Run: [ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reserved.
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKLM\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [CQEWDKY] C:\WINDOWS\CQEWDKY.exe
O4 - HKLM\..\Run: [KRYX] C:\WINDOWS\KRYX.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lofalgp] C:\WINDOWS\lofalgp.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKCU\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKCU\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKCU\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKCU\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKCU\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKCU\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKCU\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKCU\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKCU\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKCU\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKCU\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKCU\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKCU\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKCU\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKCU\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKCU\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKCU\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKCU\..\Run: [<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.i] c:\WINDOWS\System32\<link rel="SHORTCUT ICON" href="http://www.lop.com/f...m/favicon.ico">
O4 - HKCU\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKCU\..\Run: [<script src="http://rub.to/info.j...fo.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.j...o.js"></script>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com...ages/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com...s/bg_main.gif">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKCU\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKCU\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKCU\..\Run: [ Hosting</a></b> ] c:\WINDOWS\System32\ Hosting</a></b> <br>
O4 - HKCU\..\Run: [ Loan</a></b> ] c:\WINDOWS\System32\ Loan</a></b> <br>
O4 - HKCU\..\Run: [ Finance</a></b> ] c:\WINDOWS\System32\ Finance</a></b> <br>
O4 - HKCU\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKCU\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKCU\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKCU\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKCU\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKCU\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKCU\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKCU\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKCU\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKCU\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKCU\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKCU\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKCU\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKCU\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKCU\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKCU\..\Run: [ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reserved.
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKCU\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Adele Coker\Application Data\DownloadPlus.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0i\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .csm: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .csml: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cub: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cube: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .dx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .emb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .embl: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .gau: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mol: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mop: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .scr: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .skc: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {00053077-755D-4DEB-8CC8-1E687FD17D61} - http://mirror.worldw...rs/checkers.cab
O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} - http://mirror.worldw...0/bash/bash.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - http://mirror.worldw...mines/mines.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.bab...cabs/videox.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {40689DFB-7484-4D82-BCDD-DE2B39F74FD3} (Ttt Control) - http://mirror.worldw...v40/ttt/ttt.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {50EA9239-25E2-419F-B766-7A9F09D32376} - http://mirror.worldw...0/maze/maze.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} - http://mirror.worldw...shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinn...ared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://mirror.worldw...ll/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} - http://mirror.worldw...y/territory.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {84431AB8-1869-11D4-885A-00104B215F34} (Linkzilla Control) - [url

#3 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 05 July 2004 - 02:06 PM

I know this will be a LOT of work but can you please place a check mark next to all of the O4 lines EXCEPT for the following ones, reboot, and post a new log? Thank you:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#4 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 10:24 PM

Here's the new log:

Logfile of HijackThis v1.98.0
Scan saved at 11:23:18 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KaZaA Lite\Kazaa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com127.0.0.1 media.altnet.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: nbkpcqjrnzsqpnypemjm - {76c13305-dd99-4aba-aadb-600a414aec03} - C:\DOCUME~1\REMICO~1\APPLIC~1\dtlgroprou.dll
O2 - BHO: (no name) - {86D92536-FC08-4CD1-B43D-AF28E25429C9} - C:\WINDOWS\System32\authyz.dll (file missing)
O2 - BHO: (no name) - {FF54E62B-007E-46A8-A673-1D8AABDD37E7} - C:\WINDOWS\system32\qrxdfxkc.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKLM\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKLM\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKLM\..\Run: [4MHWDQL4DQELJK] C:\WINDOWS\System32\Gbi1r6.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HEAD>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\ }
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKLM\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKLM\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKLM\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKLM\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKLM\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKLM\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKLM\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKLM\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKLM\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKLM\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKLM\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKLM\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKLM\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKLM\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKLM\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKLM\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKLM\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKLM\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKLM\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKLM\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKLM\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKLM\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKLM\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKLM\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKLM\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKLM\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKLM\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKLM\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKLM\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKLM\..\Run: [<script src="http://rub.to/info.j...fo.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.j...o.js"></script>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKLM\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKLM\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKLM\..\Run: [ Hosting</a></b> ] c:\WINDOWS\System32\ Hosting</a></b> <br>
O4 - HKLM\..\Run: [ Loan</a></b> ] c:\WINDOWS\System32\ Loan</a></b> <br>
O4 - HKLM\..\Run: [ Finance</a></b> ] c:\WINDOWS\System32\ Finance</a></b> <br>
O4 - HKLM\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKLM\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKLM\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKLM\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKLM\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKLM\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKLM\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKLM\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKLM\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKLM\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKLM\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKLM\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKLM\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com...n.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com...if">&nbsp;</td>
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKLM\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKLM\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKLM\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKLM\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKLM\..\Run: [ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reserved.
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKLM\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [CQEWDKY] C:\WINDOWS\CQEWDKY.exe
O4 - HKLM\..\Run: [KRYX] C:\WINDOWS\KRYX.exe
O4 - HKLM\..\Run: [lofalgp] C:\WINDOWS\lofalgp.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net...net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net...net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKCU\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKCU\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKCU\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKCU\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKCU\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKCU\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKCU\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKCU\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKCU\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKCU\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKCU\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKCU\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKCU\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKCU\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKCU\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKCU\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKCU\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKCU\..\Run: [<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.i] c:\WINDOWS\System32\<link rel="SHORTCUT ICON" href="http://www.lop.com/f...m/favicon.ico">
O4 - HKCU\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKCU\..\Run: [<script src="http://rub.to/info.j...fo.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.j...o.js"></script>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com...ages/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com...s/bg_main.gif">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKCU\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKCU\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKCU\..\Run: [ Hosting</a></b> ] c:\WINDOWS\System32\ Hosting</a></b> <br>
O4 - HKCU\..\Run: [ Loan</a></b> ] c:\WINDOWS\System32\ Loan</a></b> <br>
O4 - HKCU\..\Run: [ Finance</a></b> ] c:\WINDOWS\System32\ Finance</a></b> <br>
O4 - HKCU\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com...g_leftshad.gif" height="423">&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKCU\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKCU\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKCU\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKCU\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKCU\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKCU\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKCU\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKCU\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKCU\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKCU\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKCU\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKCU\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKCU\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKCU\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKCU\..\Run: [ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright 2003, Search Web Now., All rights reserved.
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKCU\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKCU\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Adele Coker\Application Data\DownloadPlus.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0i\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .csm: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .csml: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cub: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cube: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .dx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .emb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .embl: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .gau: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mol: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mop: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .scr: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .skc: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {00053077-755D-4DEB-8CC8-1E687FD17D61} - http://mirror.worldw...rs/checkers.cab
O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} - http://mirror.worldw...0/bash/bash.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - http://mirror.worldw...mines/mines.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.bab...cabs/videox.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {40689DFB-7484-4D82-BCDD-DE2B39F74FD3} (Ttt Control) - http://mirror.worldw...v40/ttt/ttt.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {50EA9239-25E2-419F-B766-7A9F09D32376} - http://mirror.worldw...0/maze/maze.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} - http://mirror.worldw...shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinn...ared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://mirror.worldw...ll/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} - http://mirror.worldw...y/territory.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {84431AB8-1869-11D4-885A-00104B215F34} (Linkzilla Control) - http://www.sivi.com/...illa/Lzilla.ocx
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.soli...d/solitaire.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} - http://mirror.worldw...man/tracman.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...wild/wtinst.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [url="http://download.toontown.com/sv1.0.9.21/ttinst.cab

#5 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 05 July 2004 - 10:29 PM

so you fixed all the lines that looked like:
O4 - HKCU\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;

? and they came back?
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#6 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 10:59 PM

No, I made a mistake before and deleted those that you told me not to, but when I realized, I went to a saved restore point prior to my error. Should I remove the 04-HKLM along with the 04-HKCU's?

#7 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 05 July 2004 - 11:00 PM

Yes, remove all O4's except for the following:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#8 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 05 July 2004 - 11:26 PM

The real log, with the 04's deleted...

Logfile of HijackThis v1.98.0
Scan saved at 12:13:51 AM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\America Online 9.0i\aoltray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\webshots.scr
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\Program Files\AIM95\aim.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com127.0.0.1 media.altnet.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: nbkpcqjrnzsqpnypemjm - {76c13305-dd99-4aba-aadb-600a414aec03} - C:\DOCUME~1\REMICO~1\APPLIC~1\dtlgroprou.dll
O2 - BHO: (no name) - {86D92536-FC08-4CD1-B43D-AF28E25429C9} - C:\WINDOWS\System32\authyz.dll (file missing)
O2 - BHO: (no name) - {FF54E62B-007E-46A8-A673-1D8AABDD37E7} - C:\WINDOWS\system32\qrxdfxkc.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\KaZaA Lite\Kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .csm: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .csml: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cub: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .cube: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .dx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .emb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .embl: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .gau: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mol: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .mop: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .scr: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .skc: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .spt: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\WINDOWS\SYSTEM32\dllcache\Plugins\npchime.dll
O16 - DPF: JT's Blocks - http://download.game...ts/y/blt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {00053077-755D-4DEB-8CC8-1E687FD17D61} - http://mirror.worldw...rs/checkers.cab
O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} - http://mirror.worldw...0/bash/bash.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} - http://mirror.worldw...mines/mines.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.bab...cabs/videox.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} - http://mirror.worldw...ut/brickout.cab
O16 - DPF: {40689DFB-7484-4D82-BCDD-DE2B39F74FD3} (Ttt Control) - http://mirror.worldw...v40/ttt/ttt.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} - http://mirror.worldw...gsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse....iveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...77/mcinsctl.cab
O16 - DPF: {50EA9239-25E2-419F-B766-7A9F09D32376} - http://mirror.worldw...0/maze/maze.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} - http://mirror.worldw...shape/shape.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinn...ared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://mirror.worldw...ll/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} - http://mirror.worldw...be/wordcube.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} - http://mirror.worldw...y/territory.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {84431AB8-1869-11D4-885A-00104B215F34} (Linkzilla Control) - http://www.sivi.com/...illa/Lzilla.ocx
O16 - DPF: {8B6193F1-837F-11D4-89E6-0050DA666184} (Sol2axctl Class) - http://download.soli...d/solitaire.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} - http://mirror.worldw...focus/focus.cab
O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} - http://mirror.worldw...man/tracman.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://mirror.worldw...v40/sol/sol.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtange...wild/wtinst.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://mirror.worldw...man/hangman.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} - http://mirror.worldw...ty/tilecity.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,18/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...9.21/ttinst.cab
O16 - DPF: {C5142630-9BC9-4236-BAC9-2E3C24566EC8} - http://mirror.worldw...xword/xword.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinn...d/uninstall.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com.../autopricer.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} - http://mirror.worldw...darts/darts.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup143.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - http://mirror.worldw...ool/h2hpool.cab
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = W21484.wabu.com

#9 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 05 July 2004 - 11:47 PM

Looks much better.
Before you do anything, can you please zip up the following file (using winzip or, I think, there is a built-in zipping utility in XP) and send it to me at vze4dy43[at]verizon[dot]net:
C:\DOCUMENTS AND SETTINGS\[your user name]\APPLICATION DATA\dtlgroprou.dll

Now, please fix the following items in HijackTHis the same way as before:
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com127.0.0.1 media.altnet.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: nbkpcqjrnzsqpnypemjm - {76c13305-dd99-4aba-aadb-600a414aec03} - C:\DOCUME~1\REMICO~1\APPLIC~1\dtlgroprou.dll
O2 - BHO: (no name) - {86D92536-FC08-4CD1-B43D-AF28E25429C9} - C:\WINDOWS\System32\authyz.dll (file missing)
O2 - BHO: (no name) - {FF54E62B-007E-46A8-A673-1D8AABDD37E7} - C:\WINDOWS\system32\qrxdfxkc.dll (file missing)
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.bab...cabs/videox.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/i...etup1.0.0.5.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...9.21/ttinst.cab


And, yes, as you were saying, you can fix all of those worldwinner O16s if you would like to.

Now, please reboot and delete the following files/folders:
C:\PROGRAM FILES\COMMON~1\Real\Toolbar\ <-folder
C:\DOCUMENTS AND SETTINGS\REMICO~1\APPLICATION DATA\dtlgroprou.dll
C:\WINDOWS\fash.exe

And, finally, post a new HijackThis log. Are your symptoms getting better and/or gone?
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#10 XF4Evr

XF4Evr

    XF4Evr

  • Full Member
  • Pip
  • 6 posts

Posted 12 July 2004 - 07:16 PM

I can't find dtlgroprou.dll anywhere on my hardrive! What should I do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button