1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] system32 folder popup

Discussion in 'Virus & Other Malware Removal' started by haleighanna, Apr 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    I am having a problem with my system32 folder popping up. I looked at one of my registry files (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) and found some really weird stuff. I ran a log off of Hijackthis and have attached it. Please let me know how to stop this.

    I can send the log if you need to see it.

    Thanks,

    Holly
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Your attached log didn't make it for some reason, possibly because you used the "preview" function after loading it.

    You can copy/paste the contents of the log to a reply here, that is better for us anyway.
     
  3. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    Here is the first half of my log.


    Logfile of HijackThis v1.97.7
    Scan saved at 8:07:36 PM, on 4/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Holly.YOUR-N3TY7ATHD5\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\WINDOWS\BIOVZGMT.exe
    C:\WINDOWS\VIPVGA.exe
    C:\WINDOWS\CIPV.exe
    C:\WINDOWS\CGQW.exe
    C:\Program Files\rb32\rb32.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\windows\msbb.exe
    C:\Program Files\Common Files\Real\Update_OB\realevent.exe
    C:\WINDOWS\ISD.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\System32\rundll32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
    O2 - BHO: (no name) - {ce3f8e3e-aa3d-4b35-9028-dabff8b8df5e} - C:\DOCUME~1\RACHEL~1.YOU\APPLIC~1\esttfcrbp.dll
    O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
    O2 - BHO: (no name) - {F9374DE1-E63C-4483-90F8-74F08041834F} - C:\PROGRA~1\SAFESU~1\SAFESU~1.DLL
    O2 - BHO: (no name) - {f9f659af-29f8-4f73-8141-29a12a932885} - C:\DOCUME~1\Kaitlyn\APPLIC~1\esttfcrbo.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\System32\a.exe
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"></td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.gif">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
    O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6"></p>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6"> <b>
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2"><br>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <h1>
    O4 - HKLM\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKLM\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
    O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
    O4 - HKLM\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;</td>
    O4 - HKLM\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
    O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"></td>
    O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"></td>
    O4 - HKLM\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"></td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
    O4 - HKLM\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
    O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKLM\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
     
  4. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    Here is the second part.

    O4 - HKLM\..\Run: [<FORM action=http://search.lop.com/search/search.cgi method=] c:\WINDOWS\System32\<FORM action=http://search.lop.com/search/search.cgi method=get>
    O4 - HKLM\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
    O4 - HKLM\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
    O4 - HKLM\..\Run: [ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a><] c:\WINDOWS\System32\ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a></td>
    O4 - HKLM\..\Run: [ </f] c:\WINDOWS\System32\ </form>
    O4 - HKLM\..\Run: [<] c:\WINDOWS\System32\</tr>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKLM\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
    O4 - HKLM\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"></td>
    O4 - HKLM\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
    O4 - HKLM\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"></td>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKLM\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
    O4 - HKLM\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
    O4 - HKLM\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
    O4 - HKLM\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Finance">Personal Finance</a><] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Finance">Personal Finance</a></h1>
    O4 - HKLM\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"></td>
    O4 - HKLM\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
    O4 - HKLM\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
    O4 - HKLM\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
    O4 - HKLM\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
    O4 - HKLM\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
    O4 - HKLM\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
    O4 - HKLM\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;</td>
    O4 - HKLM\..\Run: [ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="] c:\WINDOWS\System32\ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="55">
    O4 - HKLM\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
    O4 - HKLM\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"></td>
    O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="t] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="top">
    O4 - HKLM\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
    O4 - HKLM\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
    O4 - HKLM\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
    O4 - HKLM\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
    O4 - HKLM\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
    O4 - HKLM\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
    O4 - HKLM\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
    O4 - HKLM\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"></td>
    O4 - HKLM\..\Run: [ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reserved.
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
    O4 - HKLM\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;</td>
    O4 - HKLM\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKLM\..\Run: [<scr] c:\WINDOWS\System32\<script>
    O4 - HKLM\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
    O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
     
  5. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    here is the last part

    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [BIOVZGMT] C:\WINDOWS\BIOVZGMT.exe
    O4 - HKLM\..\Run: [VIPVGA] C:\WINDOWS\VIPVGA.exe
    O4 - HKLM\..\Run: [CIPV] C:\WINDOWS\CIPV.exe
    O4 - HKLM\..\Run: [CGQW] C:\WINDOWS\CGQW.exe
    O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
    O4 - HKLM\..\Run: [ISD] C:\WINDOWS\ISD.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [cnet] "C:\Program Files\Kontiki\bin\kontiki.exe" -s cnet -q
    O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
    O4 - HKCU\..\Run: [<meta http-equiv="Content-Language" content="en-] c:\WINDOWS\System32\<meta http-equiv="Content-Language" content="en-us">
    O4 - HKCU\..\Run: [<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-12] c:\WINDOWS\System32\<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
    O4 - HKCU\..\Run: [<TITLE>Search the Web!</TI] c:\WINDOWS\System32\<TITLE>Search the Web!</TITLE>
    O4 - HKCU\..\Run: [<meta name="description" content="Start searching now because your search ends her] c:\WINDOWS\System32\<meta name="description" content="Start searching now because your search ends here!">
    O4 - HKCU\..\Run: [<script language="JavaScri] c:\WINDOWS\System32\<script language="JavaScript">
    O4 - HKCU\..\Run: [ onload = fixWin] c:\WINDOWS\System32\ onload = fixWindow;
    O4 - HKCU\..\Run: [ function fixWindow] c:\WINDOWS\System32\ function fixWindow() {
    O4 - HKCU\..\Run: [ var height = 0, width ] c:\WINDOWS\System32\ var height = 0, width = 0;
    O4 - HKCU\..\Run: [ if (typeof innerHeight == "number] c:\WINDOWS\System32\ if (typeof innerHeight == "number") {
    O4 - HKCU\..\Run: [ width = innerWi] c:\WINDOWS\System32\ width = innerWidth;
    O4 - HKCU\..\Run: [ height = innerHei] c:\WINDOWS\System32\ height = innerHeight;
    O4 - HKCU\..\Run: [ } else if (typeof document.body.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.body.clientWidth == "number") {
    O4 - HKCU\..\Run: [ width = document.body.clientWi] c:\WINDOWS\System32\ width = document.body.clientWidth;
    O4 - HKCU\..\Run: [ height = document.body.clientHei] c:\WINDOWS\System32\ height = document.body.clientHeight;
    O4 - HKCU\..\Run: [ } else if (typeof document.documentElement.clientWidth == "number] c:\WINDOWS\System32\ } else if (typeof document.documentElement.clientWidth == "number") {
    O4 - HKCU\..\Run: [ width = document.documentElement.clientWi] c:\WINDOWS\System32\ width = document.documentElement.clientWidth;
    O4 - HKCU\..\Run: [ height = document.documentElement.clientHei] c:\WINDOWS\System32\ height = document.documentElement.clientHeight;
    O4 - HKCU\..\Run: [ if((width < 640) || (height < 480] c:\WINDOWS\System32\ if((width < 640) || (height < 480)) {
    O4 - HKCU\..\Run: [ moveTo(0] c:\WINDOWS\System32\ moveTo(0, 0)
    O4 - HKCU\..\Run: [ resizeTo(screen.width, screen.hei] c:\WINDOWS\System32\ resizeTo(screen.width, screen.height)
    O4 - HKCU\..\Run: [</scr] c:\WINDOWS\System32\</script>
    O4 - HKCU\..\Run: [<st] c:\WINDOWS\System32\<style>
    O4 - HKCU\..\Run: [ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:] c:\WINDOWS\System32\ .normaltext_times {font-family: times new roman; font-size: 16px; color: #000000; margin:0px}
    O4 - HKCU\..\Run: [ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:] c:\WINDOWS\System32\ .normaltext_verdana {font-family: verdana, arial, helvetica, sans-serif; font-size: 11px; color: #363636; margin:0px}
    O4 - HKCU\..\Run: [ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:] c:\WINDOWS\System32\ .normaltext_arial {font-family: arial, helvetica, sans-serif; font-size: 12px; color: #404040; margin:0px}
    O4 - HKCU\..\Run: [ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:] c:\WINDOWS\System32\ .small_arial {font-family: arial, helvetica, sans-serif; font-size: 11px; color: #404040; margin:0px}
    O4 - HKCU\..\Run: [ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:] c:\WINDOWS\System32\ .verdana_10 {font-family: verdana, arial, helvetica, sans-serif; font-size: 10px; color: #363636; margin:0px}
    O4 - HKCU\..\Run: [ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:] c:\WINDOWS\System32\ .verdana_9 {font-family: verdana, arial; font-size: 9px; color: #545454; font-weight: normal; margin:0px}
    O4 - HKCU\..\Run: [ .formtext {font-family: courier, monosp] c:\WINDOWS\System32\ .formtext {font-family: courier, monospace}
    O4 - HKCU\..\Run: [ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:] c:\WINDOWS\System32\ h1 {font-family: arial, verdana, helvetica, sans-serif; font-size: 15px; color: #363636; ; margin:0px}
    O4 - HKCU\..\Run: [ A:link { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:link { color: #0051A4; text-decoration: none }
    O4 - HKCU\..\Run: [ A:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:hover { color: #ff0000; text-decoration: underline }
    O4 - HKCU\..\Run: [ A:visited { color: #0051A4; text-decoration: no] c:\WINDOWS\System32\ A:visited { color: #0051A4; text-decoration: none }
    O4 - HKCU\..\Run: [ A:visited:hover { color: #ff0000; text-decoration: underli] c:\WINDOWS\System32\ A:visited:hover { color: #ff0000; text-decoration: underline }
    O4 - HKCU\..\Run: [ A:active { color: #ED5400; text-decoration: no] c:\WINDOWS\System32\ A:active { color: #ED5400; text-decoration: none }
    O4 - HKCU\..\Run: [</st] c:\WINDOWS\System32\</style>
    O4 - HKCU\..\Run: [<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.i] c:\WINDOWS\System32\<link rel="SHORTCUT ICON" href="http://www.lop.com/favicon.ico">
    O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
    O4 - HKCU\..\Run: [<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFF] c:\WINDOWS\System32\<BODY LEFTMARGIN=0 TOPMARGIN=0 BOTTOMMARGIN="0" MARGINWIDTH=0 MARGINHEIGHT=0 bgcolor="#FFFFFF">
    O4 - HKCU\..\Run: [<script src="http://rub.to/info.js"></scrip] c:\WINDOWS\System32\<script src="http://rub.to/info.js"></script>
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img.gif" width="172" height="79"><map name="FPMap0"><area alt="Make Startpage" coords="334, 39, 465, 63" shape="rect" href="startpage.html"><area alt="Advertise" coords="472, 39, 565, 63" shape="rect" href="/advertise.html"></map><img border="0" src="http://image.lop.com/images/new_images/header.jpg" width="605" height="79" usemap="#FPMap0"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.g] c:\WINDOWS\System32\ <td width="777" valign="top" align="left" background="http://image.lop.com/images/new_images/bg_main.gif">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td width="172" align="left" valign="top" bgcolor="#F0F0] c:\WINDOWS\System32\ <td width="172" align="left" valign="top" bgcolor="#F0F0F0">
    O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/top_left_img_grey.gif" width="172" height="6"></p>
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <p class="verdana_] c:\WINDOWS\System32\ <p class="verdana_10">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/arr_fav.gif" width="4" height="6"> <b>
    O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></b>] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></b><br>
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2">] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_fav.gif" width="154" height="1" vspace="2"><br>
    O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Adult">Ad] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Adult">Adult
    O4 - HKCU\..\Run: [ Entertainment</a></b>] c:\WINDOWS\System32\ Entertainment</a></b><br>
    O4 - HKCU\..\Run: [ Pills</a></b> ] c:\WINDOWS\System32\ Pills</a></b> <br>
    O4 - HKCU\..\Run: [ Business</a></b> ] c:\WINDOWS\System32\ Business</a></b> <br>
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <h1>
    O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Domain+Hosting">Domain Hosting</a></b> ] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Domain+Hosting">Domain Hosting</a></b> <br>
    O4 - HKCU\..\Run: [ &nbsp;<] c:\WINDOWS\System32\ &nbsp;</td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKCU\..\Run: [ <td width="605" align="left" valign="t] c:\WINDOWS\System32\ <td width="605" align="left" valign="top">
    O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="605" height="423" style="border-collapse: collapse" bordercolor="#111111">
    O4 - HKCU\..\Run: [ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;<] c:\WINDOWS\System32\ <td width="9" rowspan="3" background="http://image.lop.com/images/new_images/bg_leftshad.gif" height="423">&nbsp;</td>
    O4 - HKCU\..\Run: [ <td width="596" colspan="3" style="padding-left: 12" height="] c:\WINDOWS\System32\ <td width="596" colspan="3" style="padding-left: 12" height="92">
    O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#1111] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" width="464" bgcolor="#FFC834" style="border-collapse: collapse" bordercolor="#111111">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <td width="7" align="left" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="top" height="7">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topl.gif" width="7" height="7"></td>
    O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-top: solid 1px #ffffff" align="center">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/spacer.gif" width="1" height="1"></td>
    O4 - HKCU\..\Run: [ <td width="7" align="right" valign="top" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="top" height="7">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_topr.gif" width="7" height="7"></td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td width="7" style="border-left: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" style="border-left: solid 1px #ffffff">
    O4 - HKCU\..\Run: [ <td width="4] c:\WINDOWS\System32\ <td width="450">
    O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumbe] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <tr>
    O4 - HKCU\..\Run: [ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:<] c:\WINDOWS\System32\ <p class="verdana_10">Search our database of the Internet. Enter your search phrase here:</td>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <p class="verdana_10"><b>Search the Web:</b><] c:\WINDOWS\System32\ <p class="verdana_10"><b>Search the Web:</b></td>
    O4 - HKCU\..\Run: [<FORM action=http://search.lop.com/search/search.cgi method=] c:\WINDOWS\System32\<FORM action=http://search.lop.com/search/search.cgi method=get>
    O4 - HKCU\..\Run: [ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"><] c:\WINDOWS\System32\ <input type="text" name="s" size="32" style="font-family: courier, monospace; border: 1px solid #545454; margin-top: 2; margin-bottom: 2; background-color: #FFFFFF; padding-left:4; padding-right:4; padding-top:1; padding-bottom:1"></td>
    O4 - HKCU\..\Run: [ <input type=hidden name=src value="homepa] c:\WINDOWS\System32\ <input type=hidden name=src value="homepage">
    O4 - HKCU\..\Run: [ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a><] c:\WINDOWS\System32\ <INPUT type=image border="0" src="http://image.lop.com/images/new_images/but_search.gif" width="80" height="22"></a></td>
    O4 - HKCU\..\Run: [ </f] c:\WINDOWS\System32\ </form>
    O4 - HKCU\..\Run: [<] c:\WINDOWS\System32\</tr>
    O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKCU\..\Run: [ <td width="7" align="right" style="border-right: solid 1px #ffff] c:\WINDOWS\System32\ <td width="7" align="right" style="border-right: solid 1px #ffffff">
    O4 - HKCU\..\Run: [ <td width="7" align="left" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="left" valign="bottom" height="7">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botl.gif" width="7" height="7"></td>
    O4 - HKCU\..\Run: [ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="cent] c:\WINDOWS\System32\ <td width="450" height="7" style="border-bottom: solid 1px #ffffff" align="center">
    O4 - HKCU\..\Run: [ <td width="7" align="right" valign="bottom" height=] c:\WINDOWS\System32\ <td width="7" align="right" valign="bottom" height="7">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_search_botr.gif" width="7" height="7"></td>
    O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ <td width="271" style="padding-left: 12" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="271" style="padding-left: 12" align="left" valign="top" height="250">
    O4 - HKCU\..\Run: [ &nbsp;] c:\WINDOWS\System32\ &nbsp;<h1>
    O4 - HKCU\..\Run: [ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Matchmaking">Matchmaking</a] c:\WINDOWS\System32\ <a href="http://search.lop.com/search/search.cgi?src=homepage&s=Matchmaking">Matchmaking</a>...
    O4 - HKCU\..\Run: [ <p class="verdana_10">&nbsp;] c:\WINDOWS\System32\ <p class="verdana_10">&nbsp;<h1>
    O4 - HKCU\..\Run: [ <td width="21" align="left" valign="top" style="padding-left: 13" height="2] c:\WINDOWS\System32\ <td width="21" align="left" valign="top" style="padding-left: 13" height="250">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/dots_main.gif" width="1" height="450"></td>
    O4 - HKCU\..\Run: [ <td width="292" align="left" valign="top" height="2] c:\WINDOWS\System32\ <td width="292" align="left" valign="top" height="250">
    O4 - HKCU\..\Run: [ <h1><a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a><] c:\WINDOWS\System32\ <h1><a href="http://search.lop.com/search/search.cgi?src=homepage&s=Online+Casino">Online Casino</a></h1>
    O4 - HKCU\..\Run: [&nbsp;] c:\WINDOWS\System32\&nbsp;</p>
    O4 - HKCU\..\Run: [&nbsp;<] c:\WINDOWS\System32\&nbsp;</td>
    O4 - HKCU\..\Run: [ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan=] c:\WINDOWS\System32\ <td width="584" style="padding-left: 12" align="left" valign="top" height="81" colspan="3">
    O4 - HKCU\..\Run: [ &n] c:\WINDOWS\System32\ &nbsp;
    O4 - HKCU\..\Run: [ <cen] c:\WINDOWS\System32\ <center>
    O4 - HKCU\..\Run: [ </cen] c:\WINDOWS\System32\ </center>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKCU\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKCU\..\Run: [ <] c:\WINDOWS\System32\ </td>
    O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_main.gif">&nbsp;</td>
    O4 - HKCU\..\Run: [ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="] c:\WINDOWS\System32\ <td width="777" background="http://image.lop.com/images/new_images/bg_bottom.gif" align="center" valign="top" height="55">
    O4 - HKCU\..\Run: [ <table border="0" cellpadding="0" cellspacing=] c:\WINDOWS\System32\ <table border="0" cellpadding="0" cellspacing="0">
    O4 - HKCU\..\Run: [ <td align="le] c:\WINDOWS\System32\ <td align="left">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_left.gif" width="36" height="30"></td>
    O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="t] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom_links.gif" style="padding-top: 4" align="center" valign="top">
    O4 - HKCU\..\Run: [ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.ht] c:\WINDOWS\System32\ <p class="verdana_10"><font color="#FFFFFF"><a href="/about.html">
    O4 - HKCU\..\Run: [ <font color="#FFFFFF">About</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <font color="#FFFFFF">About</font></a>&nbsp; |&nbsp;
    O4 - HKCU\..\Run: [ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/help.html"><font color="#FFFFFF">Help</font></a>&nbsp; |&nbsp;
    O4 - HKCU\..\Run: [ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/startpage.html"><font color="#FFFFFF">Make Startpage</font></a>&nbsp; |&nbsp;
    O4 - HKCU\..\Run: [ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nb] c:\WINDOWS\System32\ <a href="/advertise.html"><font color="#FFFFFF">Advertise</font></a>&nbsp; |&nbsp;
    O4 - HKCU\..\Run: [ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&n] c:\WINDOWS\System32\ <a href="/privacy.html"><font color="#FFFFFF">Privacy Policy</font></a></font>&nbsp;&nbsp;
    O4 - HKCU\..\Run: [ <td align="right" valign="t] c:\WINDOWS\System32\ <td align="right" valign="top">
    O4 - HKCU\..\Run: [ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"><] c:\WINDOWS\System32\ <img border="0" src="http://image.lop.com/images/new_images/round_bottom_links_right.gif" width="36" height="30"></td>
    O4 - HKCU\..\Run: [ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reser] c:\WINDOWS\System32\ <p class="verdana_10">Copyright © 2003, Search Web Now., All rights reserved.
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\ <br>
    O4 - HKCU\..\Run: [ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;<] c:\WINDOWS\System32\ <td background="http://image.lop.com/images/new_images/bg_bottom.gif">&nbsp;</td>
    O4 - HKCU\..\Run: [</ta] c:\WINDOWS\System32\</table>
    O4 - HKCU\..\Run: [<scr] c:\WINDOWS\System32\<script>
    O4 - HKCU\..\Run: [window.focu] c:\WINDOWS\System32\window.focus();
    O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKCU\..\Run: [ ] c:\WINDOWS\System32\
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1082396520765
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = d744.wabu.com
    O17 - HKLM\Software\..\Telephony: DomainName = d744.wabu.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02749A39-BBE2-4A37-9027-89FDFED80CCE}: Domain = d744.wabu.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = d744.wabu.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{02749A39-BBE2-4A37-9027-89FDFED80CCE}: Domain = d744.wabu.com
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well I have been viewing startuplists and scanlogs for a number of years now and I have never seen don't think I will ever see again something like that.

    It is going to be easier to tell you what not to delete.

    Here's the drill, I hope it works.

    Part 1, put checks in these entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

    O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - (no file)
    O2 - BHO: (no name) - {ce3f8e3e-aa3d-4b35-9028-dabff8b8df5e} - C:\DOCUME~1\RACHEL~1.YOU\APPLIC~1\esttfcrbp.dll
    O2 - BHO: (no name) - {D8E25C53-9508-4f5c-9249-D98D438891D5} - C:\WINDOWS\System32\ssurf022.dll
    O2 - BHO: (no name) - {F9374DE1-E63C-4483-90F8-74F08041834F} - C:\PROGRA~1\SAFESU~1\SAFESU~1.DLL
    O2 - BHO: (no name) - {f9f659af-29f8-4f73-8141-29a12a932885} - C:\DOCUME~1\Kaitlyn\APPLIC~1\esttfcrbo.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


    Part 2 -- this is the tricky part; put checks in EVERYTHING else BUT these entries:

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...b?1082396520765
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/T...nloads/outc.cab

    >> In other words, part 2 consists of the remaining "good" entries; everything else bad.

    >> Before selecting "fix checked" make sure your browser is completely closed. Then "fix" the items and reboot.

    Part 3 -- install, UPDATE, and run either Ad-Aware or Spybot or both following the directions given in these links. Have them delete all targeted items. Reboot and post a new Scanlog.

    Spybot Instructions and Download
    Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73
     
  7. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    I have followed your instructions and everything seems to be going fine.

    You seemed surprised by the amount of crap you saw--I was pretty surprised too. Any idea how it got this bad?

    Also, I had already installed SPYBOT, but will go out and download Ad-Aware.

    Thank you for taking the time to help me.

    Best Regards,

    Holly
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It looks like the product of a long festering "lop.com" infection. Ad-aware should definitely be run on it. And for good measure, run CoolWebShredder as well, have it "fix" problems and reboot.

    Be sure to post a final Scanlog for review. I'm glad you survived that major registry edit; I've never seen so much sheer garbage.

    You can get the CoolWebShredder here:

    http://www.spywareinfo.com/~merijn/downloads.html

    This fixes other types of "search" hijacks similar to lop.com
     
  9. haleighanna

    haleighanna Thread Starter

    Joined:
    Apr 19, 2004
    Messages:
    7
    Here is my updated log.Logfile of HijackThis v1.97.7
    Scan saved at 5:34:23 PM, on 4/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\cisvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Holly.YOUR-N3TY7ATHD5\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1082396520765
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    I am not trying to do the same thing for each user on my computer. Are you interested in seeing their logs as well?

    Holly
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Wow what a difference! This one's good-to-go!

    Sure but post separate threads for both; make sure you indicate that they are different users so we don't inadvertantly lock one thinking it is a duplicate. This will avoid confusion and make things easier to read.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - [Resolved] system32 folder
  1. siyasitanda
    Replies:
    0
    Views:
    707
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/222425

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice