Re: HijackThisLog Analysis - L33t
Date: Monday, 27 September, 2004 9:08 AM
Remember DO NOT run hijackthis.exe inside the zip file. Unzip (extract) it to your desktop then double click on "HijackThis.exe" icon in this way a backup for the removed key will be created on your desktop (useful if you remove them wrongly).
Here is what you should do.
Before you start, you may want to update your anti virus as you computer may have the dktime.exe Troj/Dloader-CC trojan and Syslaunch.exe trojan. Rescan your computer and at the same time you may want to remove RamBooster and Messenger Plus! 3. These may comes with "sponsored" program that may contribute to slowness on your computer.
Also uninstall D-Tools, WordQ, Motive SmartBridge if you are not using them. You can always reinstall them after you have clean up your computer.
End the below suspicious process :
C: \ WINDOWS \ System32 \ dktime.exe
Remove these search keys:
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = file: / / C: \ WINDOWS \ System32 \ SearchBar.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: 213.159.117.134 / index.php
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: 213.159.117.134 / index.php
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: 213.159.117.134 / index.php
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: vampirefreaks.com /
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Connection Wizard,ShellNext = website: lexmark.com / MD / ?func=newreg&lang=0&prtr=4406001&ctry=00000409&os=5&src=1
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = 127.0.0.1
Remove these additional browser plug-in keys (O2...O4):
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036 B504-51D73BD81C3A} - C: \ WINDOWS \ EliteBar \ EliteBar version 50.dll
O2 - BHO: (no name) - {4FFD4329-C44A-50B6 DA26-64550487243A} - C: \ WINDOWS \ System32 \ hcrn.dll
O2 - BHO: (no name) - {4FFF457A-9417-00E1 D626-645504872439} - C: \ WINDOWS \ System32 \ xoktah.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55 87FF-720FAF53D841} - C: \ Documents and Settings \ travis \ Local Settings \ Temp \ ClLl.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430 B771-0C15C5CA880F} - C: \ WINDOWS \ EliteBar \ EliteBar version 50.dll
O4 - HKLM \ .. \ Run: [DownloadWare Engine] "C: \ Program Files \ DownloadWare Engine \ DWE.EXE" / H
O4 - HKLM \ .. \ Run: [KernelFaultCheck] %systemroot% \ system32 \ dumprep 0 -k
O4 - HKLM \ .. \ Run: [Winad Client] C: \ Program Files \ Winad Client \ Winad.exe
O4 - HKLM \ .. \ Run: [golumm] C: \ WINDOWS \ System32 \ golumm \ services.exe
O4 - HKLM \ .. \ Run: [ControlPanel] C: \ WINDOWS \ System32 \ twink64.exe internat.dll, LoadKeyboardProfile
O4 - HKLM \ .. \ Run: [Windows SyncroAd] C: \ Program Files \ Windows SyncroAd \ SyncroAd.exe
O4 - HKLM \ .. \ Run: [Ebwr] C: \ documents and settings \ trish \ local settings \ temp \ Ebwr.exe
O4 - HKLM \ .. \ Run: [Fq9wB] C: \ documents and settings \ travis \ local settings \ temp \ Fq9wB.exe
O4 - HKLM \ .. \ Run: [{12EE7A5E-0674-42f9 A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM \ .. \ Run: [A70F6A1D-0195-42a2 934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM \ .. \ Run: [ssGAOOH7Q] C: \ documents and settings \ gary \ local settings \ temp \ ssGAOOH7Q.exe
O4 - HKLM \ .. \ Run: [Q2V4emn] C: \ documents and settings \ gary \ local settings \ temp \ Q2V4emn.exe
O4 - HKLM \ .. \ Run: [962c925eb967] C: \ WINDOWS \ System32 \ ati2cqag.exe
O4 - HKLM \ .. \ Run: [vuyu3A] C: \ documents and settings \ gary \ local settings \ temp \ vuyu3A.exe
O4 - HKLM \ .. \ Run: [DKTime] C: \ WINDOWS \ System32 \ dktime.exe
O4 - HKLM \ .. \ Run: [gl8pSE5] C: \ documents and settings \ gary \ local settings \ temp \ gl8pSE5.exe
O4 - HKLM \ .. \ Run: [Bakra] C: \ WINDOWS \ System32 \ IEHost.exe
O4 - HKLM \ .. \ Run: [rUh1v] C: \ documents and settings \ gary \ local settings \ temp \ rUh1v.exe
O4 - HKLM \ .. \ Run: [RQj] C: \ documents and settings \ gary \ local settings \ temp \ RQj.exe
O4 - HKLM \ .. \ Run: [MCq2I] C: \ documents and settings \ gary \ local settings \ temp \ MCq2I.exe
O4 - HKLM \ .. \ Run: [YpQAHs6c] C: \ documents and settings \ gary \ local settings \ temp \ YpQAHs6c.exe
O4 - HKLM \ .. \ Run: [jeWxZsol] c: \ documents and settings \ gary \ local settings \ temp \ jeWxZsol.exe
O4 - HKLM \ .. \ Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
Remove these ActiveX Objects (aka Downloaded Program Files) if you are not using them (O16):
O16 - DPF: v2cab - website: 6227.searchmiracle.com / cab / v2cab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https: / / components.viewpoint.com / MTSInstallers / MetaStream3.cab?url=website: viewpoint.com / cgi-bin / beta / vet_install_popup.pl?0&4&unknown&unknown
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - website: mirror.worldwinner.com / games / v40 / mines / mines.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=305 ... 261
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - website: mirror.worldwinner.com / games / v42 / brickout / brickout.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - website: zone.msn.com / bingame / rtlw / default / ReflexiveWebGameLoader.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - website: mirror.worldwinner.com / games / v41 / jigsaw / jigsaw.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - website: zone.msn.com / bingame / rock / default / popcaploader1.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - website: files.ea.com / downloads / rtpatch / v2 / EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - website: 207.188.7.150 / 2460cf8844f743aef700 / netzip / RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - website: mirror.worldwinner.com / games / v49 / bjattack / bjattack.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - website: mirror.worldwinner.com / games / v42 / shape / shape.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - website: mirror.worldwinner.com / games / v45 / blockwerx / blockwerx.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - website: advnt01.com / dialer / canada_ver3.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - website: mirror.worldwinner.com / games / shared / dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - website: mirror.worldwinner.com / games / v40 / freecell / freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - website: mirror.worldwinner.com / games / v44 / wordcube / wordcube.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - website: launch.gamespyarcade.com / software / launch / alaunch.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - website: mirror.worldwinner.com / games / v47 / collapse / collapse.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - website: download.websearch.com / Dnl / T_50038 / QDow_AS2.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - website: mirror.worldwinner.com / games / v40 / focus / focus.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - website: mirror.worldwinner.com / games / v45 / wordmojo / wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - website: mirror.worldwinner.com / games / v55 / cubis / cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - website: mirror.worldwinner.com / games / v44 / sol / sol.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - website: zone.msn.com / binGame / ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - website: mirror.worldwinner.com / games / v59 / swapit / swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - website: mirror.worldwinner.com / games / v40 / hangman / hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - website: mirror.worldwinner.com / games / v40 / tilecity / tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - website: zone.msn.com / bingame / zuma / default / popcaploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - website: mirror.worldwinner.com / games / v41 / golfsol / golfsol.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - website: chat.yahoo.com / cab / yvwrctl.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - website: download.overpro.com / WildApp.cab
Remove Shell Service Object Delay Load Registry key:
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C: \ WINDOWS \ System32 \ mssaru.dll
Reboot the computer and put it to safe mode. Then delete these files from your C: drive.
C: \ WINDOWS \ System32 \ dktime.exe
C: \ WINDOWS \ System32 \ mssaru.dll
C: \ Program Files \ DownloadWare Engine \
Original log but with private information removed.
Logfile of HijackThis v1.98.2
Scan saved at 9:00:15 PM, on 9 / 26 / 2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C: \ WINDOWS \ System32 \ smss.exe
C: \ WINDOWS \ system32 \ winlogon.exe
C: \ WINDOWS \ system32 \ services.exe
C: \ WINDOWS \ system32 \ lsass.exe
C: \ WINDOWS \ System32 \ Ati2evxx.exe
C: \ WINDOWS \ system32 \ svchost.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ LEXBCES.EXE
C: \ WINDOWS \ system32 \ spoolsv.exe
C: \ PROGRA~1 \ Grisoft \ AVG6 \ avgserv.exe
C: \ Program Files \ Analog Devices \ SoundMAX \ SMAgent.exe
C: \ WINDOWS \ System32 \ svchost.exe
C: \ WINDOWS \ system32 \ Ati2evxx.exe
C: \ WINDOWS \ Explorer.EXE
C: \ Program Files \ Grisoft \ AVG6 \ avgcc32.exe
C: \ Program Files \ Elaborate Bytes \ CloneCD \ CloneCDTray.exe
C: \ Program Files \ Lexmark X74-X75 \ lxbbbmgr.exe
C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe
C: \ Program Files \ Lexmark X74-X75 \ lxbbbmon.exe
C: \ Program Files \ MusicMatch \ MusicMatch Jukebox \ mmtask.exe
C: \ Program Files \ D-Tools \ daemon.exe
C: \ Program Files \ Common Files \ Logitech \ QCDriver \ LVCOMS.EXE
C: \ WINDOWS \ System32 \ golumm \ services.exe
C: \ Program Files \ Windows SyncroAd \ SyncroAd.exe
C: \ documents and settings \ trish \ local settings \ temp \ Ebwr.exe
C: \ Program Files \ Windows SyncroAd \ WinSync.exe
C: \ documents and settings \ travis \ local settings \ temp \ Fq9wB.exe
C: \ WINDOWS \ System32 \ rundll32.exe
C: \ WINDOWS \ System32 \ rundll32.exe
C: \ WINDOWS \ System32 \ ati2cqag.exe
C: \ WINDOWS \ System32 \ dktime.exe
C: \ WINDOWS \ System32 \ rundll32.exe
C: \ WINDOWS \ System32 \ lexpps.exe
C: \ Program Files \ RamBooster \ Rambooster.exe
C: \ PROGRA~1 \ Web Offer \ wo.exe
C: \ Documents and Settings \ travis \ Application Data \ l?z?.exe
C: \ WINDOWS \ System32 \ dktime.exe
C: \ Documents and Settings \ travis \ rmtct.exe
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ WINDOWS \ System32 \ wuauclt.exe
C: \ WINDOWS \ system32 \ ??oolsv.exe
C: \ WINDOWS \ System32 \ rsvp.exe
C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe
C: \ Program Files \ MSN Messenger \ msnmsgr.exe
C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
C: \ Program Files \ Internet Explorer \ iexplore.exe
C: \ Documents and Settings \ travis \ Desktop \ HijackThis.exe
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Search Bar = file: / / C: \ WINDOWS \ System32 \ SearchBar.htm
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: 213.159.117.134 / index.php
R1 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Default_Page_URL = website: 213.159.117.134 / index.php
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Start Page = website: 213.159.117.134 / index.php
R0 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Explorer \ Main,Start Page_bak = website: vampirefreaks.com /
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main,Local Page = website: 213.159.117.134 / index.php
R1 - HKCU \ Software \ Microsoft \ Internet Connection Wizard,ShellNext = website: lexmark.com / MD / ?func=newreg&lang=0&prtr=4406001&ctry=00000409&os=5&src=1
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C: \ WINDOWS \ System32 \ Userinit.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C: \ WINDOWS \ EliteBar \ EliteBar version 50.dll
O2 - BHO: (no name) - {4FFD4329-C44A-50B6-DA26-64550487243A} - C: \ WINDOWS \ System32 \ hcrn.dll
O2 - BHO: (no name) - {4FFF457A-9417-00E1-D626-645504872439} - C: \ WINDOWS \ System32 \ xoktah.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C: \ Documents and Settings \ travis \ Local Settings \ Temp \ ClLl.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C: \ WINDOWS \ EliteBar \ EliteBar version 50.dll
O4 - HKLM \ .. \ Run: [AVG_CC] C: \ Program Files \ Grisoft \ AVG6 \ avgcc32.exe / startup
O4 - HKLM \ .. \ Run: [iehelper] C: \ Program Files \ syslaunch.exe
O4 - HKLM \ .. \ Run: [CloneCDElbyCDFL] "C: \ Program Files \ Elaborate Bytes \ CloneCD \ ElbyCheck.exe" / L ElbyCDFL
O4 - HKLM \ .. \ Run: [CloneCDTray] "C: \ Program Files \ Elaborate Bytes \ CloneCD \ CloneCDTray.exe"
O4 - HKLM \ .. \ Run: [Lexmark X74-X75] "C: \ Program Files \ Lexmark X74-X75 \ lxbbbmgr.exe"
O4 - HKLM \ .. \ Run: [QuickTime Task] "C: \ Program Files \ QuickTime \ qttask.exe" -atboottime
O4 - HKLM \ .. \ Run: [TkBellExe] "C: \ Program Files \ Common Files \ Real \ Update_OB \ realsched.exe" -osboot
O4 - HKLM \ .. \ Run: [DXM6Patch_981116] C: \ WINDOWS \ p_981116.exe / Q:A
O4 - HKLM \ .. \ Run: [StorageGuard] "C: \ Program Files \ VERITAS Software \ Update Manager \ sgtray.exe" / r
O4 - HKLM \ .. \ Run: [RegTweak] C: \ Program Files \ Rage3DTweak \ RegTwk.exe
O4 - HKLM \ .. \ Run: [mmtask] C: \ Program Files \ MusicMatch \ MusicMatch Jukebox \ mmtask.exe
O4 - HKLM \ .. \ Run: [ATIPTA] C: \ Program Files \ ATI Technologies \ ATI Control Panel \ atiptaxx.exe
O4 - HKLM \ .. \ Run: [DAEMON Tools-1033] "C: \ Program Files \ D-Tools \ daemon.exe" -lang 1033
O4 - HKLM \ .. \ Run: [WordQ carat flag] C: \ Program Files \ WordQ \ \ WordQcrs.exe
O4 - HKLM \ .. \ Run: [Motive SmartBridge] C: \ PROGRA~1 \ NETASS~1 \ SMARTB~1 \ MotiveSB.exe
O4 - HKLM \ .. \ Run: [DownloadWare Engine] "C: \ Program Files \ DownloadWare Engine \ DWE.EXE" / H
O4 - HKLM \ .. \ Run: [KernelFaultCheck] %systemroot% \ system32 \ dumprep 0 -k
O4 - HKLM \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe"
O4 - HKLM \ .. \ Run: [Winad Client] C: \ Program Files \ Winad Client \ Winad.exe
O4 - HKLM \ .. \ Run: [LVCOMS] C: \ Program Files \ Common Files \ Logitech \ QCDriver \ LVCOMS.EXE
O4 - HKLM \ .. \ Run: [golumm] C: \ WINDOWS \ System32 \ golumm \ services.exe
O4 - HKLM \ .. \ Run: [ControlPanel] C: \ WINDOWS \ System32 \ twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM \ .. \ Run: [Windows SyncroAd] C: \ Program Files \ Windows SyncroAd \ SyncroAd.exe
O4 - HKLM \ .. \ Run: [Ebwr] C: \ documents and settings \ trish \ local settings \ temp \ Ebwr.exe
O4 - HKLM \ .. \ Run: [Fq9wB] C: \ documents and settings \ travis \ local settings \ temp \ Fq9wB.exe
O4 - HKLM \ .. \ Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM \ .. \ Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM \ .. \ Run: [ssGAOOH7Q] C: \ documents and settings \ gary \ local settings \ temp \ ssGAOOH7Q.exe
O4 - HKLM \ .. \ Run: [Q2V4emn] C: \ documents and settings \ gary \ local settings \ temp \ Q2V4emn.exe
O4 - HKLM \ .. \ Run: [962c925eb967] C: \ WINDOWS \ System32 \ ati2cqag.exe
O4 - HKLM \ .. \ Run: [vuyu3A] C: \ documents and settings \ gary \ local settings \ temp \ vuyu3A.exe
O4 - HKLM \ .. \ Run: [DKTime] C: \ WINDOWS \ System32 \ dktime.exe
O4 - HKLM \ .. \ Run: [gl8pSE5] C: \ documents and settings \ gary \ local settings \ temp \ gl8pSE5.exe
O4 - HKLM \ .. \ Run: [Bakra] C: \ WINDOWS \ System32 \ IEHost.exe
O4 - HKLM \ .. \ Run: [rUh1v] C: \ documents and settings \ gary \ local settings \ temp \ rUh1v.exe
O4 - HKLM \ .. \ Run: [RQj] C: \ documents and settings \ gary \ local settings \ temp \ RQj.exe
O4 - HKLM \ .. \ Run: [MCq2I] C: \ documents and settings \ gary \ local settings \ temp \ MCq2I.exe
O4 - HKLM \ .. \ Run: [YpQAHs6c] C: \ documents and settings \ gary \ local settings \ temp \ YpQAHs6c.exe
O4 - HKLM \ .. \ Run: [jeWxZsol] c: \ documents and settings \ gary \ local settings \ temp \ jeWxZsol.exe
O4 - HKLM \ .. \ Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKCU \ .. \ Run: [RamBooster] C: \ Program Files \ RamBooster \ Rambooster.exe
O4 - HKCU \ .. \ Run: [MessengerPlus3] "C: \ Program Files \ Messenger Plus! 3 \ MsgPlus.exe" / WinStart
O4 - HKCU \ .. \ Run: [sysinit] C: \ WINDOWS \ System32 \ golumm \ services.exe
O4 - HKCU \ .. \ Run: [eZWO] C: \ PROGRA~1 \ Web Offer \ wo.exe
O4 - HKCU \ .. \ Run: [Udrr] C: \ Documents and Settings \ travis \ Application Data \ l?z?.exe
O4 - HKCU \ .. \ Run: [DKTime] C: \ WINDOWS \ System32 \ dktime.exe
O4 - HKCU \ .. \ Run: [Yqqx] C: \ WINDOWS \ System32 \ ??oolsv.exe
O4 - HKCU \ .. \ Run: [msnmsgr] "C: \ Program Files \ MSN Messenger \ msnmsgr.exe" / background
O8 - Extra context menu item: Web Rebates - file: / / C: \ Program Files \ Web_Rebates \ Sy1150 \ Tp1150 \ scri1150a.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe (file missing)
O9 - Extra ´Tools´ menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C: \ WINDOWS \ System32 \ ms.exe (file missing)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C: \ Program Files \ ICQLite \ ICQLite.exe
O9 - Extra ´Tools´ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C: \ Program Files \ ICQLite \ ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O9 - Extra ´Tools´ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C: \ Program Files \ Messenger \ MSMSGS.EXE
O16 - DPF: v2cab - website: 6227.searchmiracle.com / cab / v2cab.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https: / / components.viewpoint.com / MTSInstallers / MetaStream3.cab?url=website: viewpoint.com / cgi-bin / beta / vet_install_popup.pl?0&4&unknown&unknown
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - website: mirror.worldwinner.com / games / v40 / mines / mines.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - website: public.windupdates.com / get_file.php?bt=ie&p=305 ... 261
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - website: mirror.worldwinner.com / games / v42 / brickout / brickout.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - website: zone.msn.com / bingame / rtlw / default / ReflexiveWebGameLoader.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - website: mirror.worldwinner.com / games / v41 / jigsaw / jigsaw.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - website: zone.msn.com / bingame / rock / default / popcaploader1.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - website: files.ea.com / downloads / rtpatch / v2 / EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - website: 207.188.7.150 / 2460cf8844f743aef700 / netzip / RdxIE601.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - website: mirror.worldwinner.com / games / v49 / bjattack / bjattack.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - website: mirror.worldwinner.com / games / v42 / shape / shape.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - website: mirror.worldwinner.com / games / v45 / blockwerx / blockwerx.cab
O16 - DPF: {683DFF0F-331F-44D2-B69B-46D7BFB58F32} (VacPro.canada_ver3) - website: advnt01.com / dialer / canada_ver3.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - website: mirror.worldwinner.com / games / shared / dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - website: mirror.worldwinner.com / games / v40 / freecell / freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - website: mirror.worldwinner.com / games / v44 / wordcube / wordcube.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - website: launch.gamespyarcade.com / software / launch / alaunch.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - website: mirror.worldwinner.com / games / v47 / collapse / collapse.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - website: download.websearch.com / Dnl / T_50038 / QDow_AS2.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - website: mirror.worldwinner.com / games / v40 / focus / focus.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - website: mirror.worldwinner.com / games / v45 / wordmojo / wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - website: mirror.worldwinner.com / games / v55 / cubis / cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - website: mirror.worldwinner.com / games / v44 / sol / sol.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - website: zone.msn.com / binGame / ZAxRcMgr.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - website: mirror.worldwinner.com / games / v59 / swapit / swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - website: mirror.worldwinner.com / games / v40 / hangman / hangman.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - website: mirror.worldwinner.com / games / v40 / tilecity / tilecity.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - website: zone.msn.com / bingame / zuma / default / popcaploader_v5.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - website: mirror.worldwinner.com / games / v41 / golfsol / golfsol.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - website: chat.yahoo.com / cab / yvwrctl.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - website: download.overpro.com / WildApp.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C: \ WINDOWS \ System32 \ mssaru.dll
|
Post your comment