[Resolved] system32 folder popup

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
I am having a problem with my system32 folder popping up. I looked at one of my registry files (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) and found some really weird stuff. I ran a log off of Hijackthis and have attached it. Please let me know how to stop this.

I can send the log if you need to see it.

Thanks,

Holly
 
Joined
Dec 9, 2000
Messages
45,855
Your attached log didn't make it for some reason, possibly because you used the "preview" function after loading it.

You can copy/paste the contents of the log to a reply here, that is better for us anyway.
 

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
Here is the first half of my log.


Logfile of HijackThis v1.97.7
Scan saved at 8:07:36 PM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Holly.YOUR-N3TY7ATHD5\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINDOWS\BIOVZGMT.exe
C:\WINDOWS\VIPVGA.exe
C:\WINDOWS\CIPV.exe
C:\WINDOWS\CGQW.exe
C:\Program Files\rb32\rb32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\msbb.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\WINDOWS\ISD.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
O2 - BHO: (no name) - {ce3f8e3e-aa3d-4b35-9028-dabff8b8df5e} - C:\DOCUME~1\RACHEL~1.YOU\APPLIC~1\esttfcrbp.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
O2 - BHO: (no name) - {F9374DE1-E63C-4483-90F8-74F08041834F} - C:\PROGRA~1\SAFESU~1\SAFESU~1.DLL
O2 - BHO: (no name) - {f9f659af-29f8-4f73-8141-29a12a932885} - C:\DOCUME~1\Kaitlyn\APPLIC~1\esttfcrbo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"></td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.gif">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6"></p>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6"> <b>
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2"><br>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKLM\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;</td>
O4 - HKLM\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"></td>
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKLM\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKLM\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
 

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
Here is the second part.

O4 - HKLM\..\Run: [<FORM action=http://search.lop.com/search/search.cgi method=] c:\WINDOWS\System32\<FORM action=http://search.lop.com/search/search.cgi method=get>
O4 - HKLM\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKLM\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKLM\..\Run: [ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a><] c:\WINDOWS\System32\ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a></td>
O4 - HKLM\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKLM\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKLM\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"></td>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
O4 - HKLM\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKLM\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKLM\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Finance">Personal Finance</a><] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Finance">Personal Finance</a></h1>
O4 - HKLM\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"></td>
O4 - HKLM\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKLM\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKLM\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKLM\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKLM\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKLM\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKLM\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;</td>
O4 - HKLM\..\Run: [ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="] c:\WINDOWS\System32\ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="55">
O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKLM\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"></td>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="t] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="top">
O4 - HKLM\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKLM\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKLM\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKLM\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"></td>
O4 - HKLM\..\Run: [ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reserved.
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;</td>
O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKLM\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKLM\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
 

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
here is the last part

O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [BIOVZGMT] C:\WINDOWS\BIOVZGMT.exe
O4 - HKLM\..\Run: [VIPVGA] C:\WINDOWS\VIPVGA.exe
O4 - HKLM\..\Run: [CIPV] C:\WINDOWS\CIPV.exe
O4 - HKLM\..\Run: [CGQW] C:\WINDOWS\CGQW.exe
O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
O4 - HKLM\..\Run: [ISD] C:\WINDOWS\ISD.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKCU\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
O4 - HKCU\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
O4 - HKCU\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
O4 - HKCU\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
O4 - HKCU\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
O4 - HKCU\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
O4 - HKCU\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
O4 - HKCU\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
O4 - HKCU\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
O4 - HKCU\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
O4 - HKCU\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
O4 - HKCU\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
O4 - HKCU\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
O4 - HKCU\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
O4 - HKCU\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
O4 - HKCU\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
O4 - HKCU\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
O4 - HKCU\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
O4 - HKCU\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
O4 - HKCU\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
O4 - HKCU\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
O4 - HKCU\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
O4 - HKCU\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
O4 - HKCU\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
O4 - HKCU\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
O4 - HKCU\..\Run: [<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.i] c:\WINDOWS\System32\<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.ico">
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKCU\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
O4 - HKCU\..\Run: [<script src="http://rub.to/info.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.js"></script>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.gif">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6"></p>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6"> <b>
O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></b>] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></b><br>
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2"><br>
O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Adult">Ad] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Adult">Adult
O4 - HKCU\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
O4 - HKCU\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
O4 - HKCU\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <h1>
O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Domain+Hosting">Domain Hosting</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Domain+Hosting">Domain Hosting</a></b> <br>
O4 - HKCU\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"></td>
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"></td>
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"></td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
O4 - HKCU\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
O4 - HKCU\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
O4 - HKCU\..\Run: [<FORM action=http://search.lop.com/search/search.cgi method=] c:\WINDOWS\System32\<FORM action=http://search.lop.com/search/search.cgi method=get>
O4 - HKCU\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
O4 - HKCU\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
O4 - HKCU\..\Run: [ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a><] c:\WINDOWS\System32\ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a></td>
O4 - HKCU\..\Run: [ </f] c:\WINDOWS\System32\ </form>
O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
O4 - HKCU\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"></td>
O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
O4 - HKCU\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"></td>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Matchmaking">Matchmaking</a] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Matchmaking">Matchmaking</a>...
O4 - HKCU\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
O4 - HKCU\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"></td>
O4 - HKCU\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
O4 - HKCU\..\Run: [ <h1><a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a><] c:\WINDOWS\System32\ <h1><a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></h1>
O4 - HKCU\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
O4 - HKCU\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
O4 - HKCU\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
O4 - HKCU\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
O4 - HKCU\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;</td>
O4 - HKCU\..\Run: [ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="] c:\WINDOWS\System32\ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="55">
O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
O4 - HKCU\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"></td>
O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="t] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="top">
O4 - HKCU\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
O4 - HKCU\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
O4 - HKCU\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
O4 - HKCU\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"></td>
O4 - HKCU\..\Run: [ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reserved.
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <br>
O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;</td>
O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
O4 - HKCU\..\Run: [<scr] c:\WINDOWS\System32\<script>
O4 - HKCU\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1082396520765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = d744.wabu.com
O17 - HKLM\Software\..\Telephony: DomainName = d744.wabu.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{02749A39-BBE2-4A37-9027-89FDFED80CCE}: Domain = d744.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = d744.wabu.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{02749A39-BBE2-4A37-9027-89FDFED80CCE}: Domain = d744.wabu.com
 
Joined
Dec 9, 2000
Messages
45,855
Well I have been viewing startuplists and scanlogs for a number of years now and I have never seen don't think I will ever see again something like that.

It is going to be easier to tell you what not to delete.

Here's the drill, I hope it works.

Part 1, put checks in these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
O2 - BHO: (no name) - {ce3f8e3e-aa3d-4b35-9028-dabff8b8df5e} - C:\DOCUME~1\RACHEL~1.YOU\APPLIC~1\esttfcrbp.dll
O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
O2 - BHO: (no name) - {F9374DE1-E63C-4483-90F8-74F08041834F} - C:\PROGRA~1\SAFESU~1\SAFESU~1.DLL
O2 - BHO: (no name) - {f9f659af-29f8-4f73-8141-29a12a932885} - C:\DOCUME~1\Kaitlyn\APPLIC~1\esttfcrbo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Part 2 -- this is the tricky part; put checks in EVERYTHING else BUT these entries:

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...b?1082396520765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/T...nloads/outc.cab

>> In other words, part 2 consists of the remaining "good" entries; everything else bad.

>> Before selecting "fix checked" make sure your browser is completely closed. Then "fix" the items and reboot.

Part 3 -- install, UPDATE, and run either Ad-Aware or Spybot or both following the directions given in these links. Have them delete all targeted items. Reboot and post a new Scanlog.

Spybot Instructions and Download
Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
 

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
I have followed your instructions and everything seems to be going fine.

You seemed surprised by the amount of crap you saw--I was pretty surprised too. Any idea how it got this bad?

Also, I had already installed SPYBOT, but will go out and download Ad-Aware.

Thank you for taking the time to help me.

Best Regards,

Holly
 
Joined
Dec 9, 2000
Messages
45,855
It looks like the product of a long festering "lop.com" infection. Ad-aware should definitely be run on it. And for good measure, run CoolWebShredder as well, have it "fix" problems and reboot.

Be sure to post a final Scanlog for review. I'm glad you survived that major registry edit; I've never seen so much sheer garbage.

You can get the CoolWebShredder here:

http://www.spywareinfo.com/~merijn/downloads.html

This fixes other types of "search" hijacks similar to lop.com
 

haleighanna

Thread Starter
Joined
Apr 19, 2004
Messages
7
Here is my updated log.Logfile of HijackThis v1.97.7
Scan saved at 5:34:23 PM, on 4/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Holly.YOUR-N3TY7ATHD5\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1082396520765
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

I am not trying to do the same thing for each user on my computer. Are you interested in seeing their logs as well?

Holly
 
Joined
Dec 9, 2000
Messages
45,855
Wow what a difference! This one's good-to-go!

Sure but post separate threads for both; make sure you indicate that they are different users so we don't inadvertantly lock one thinking it is a duplicate. This will avoid confusion and make things easier to read.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top