Solved: Hitpointer redirects IE to "Adult" site

Occasionally when I click a link or type a web address a Hitpointer address appears instead which is a portal to an Adult Web site. I have run an up to date version of Ad-Aware but it does not help. How do I get rid of this malware? I have run HijakThis and the log is given below.

Any help would be much appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 17:59:38, on 14/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
c:\windows\system32\mhqpohru.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MHQPOHRU] c:\windows\system32\mhqpohru.exe /install
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINDOWS\Downloaded Program Files\toolbar2.dll/SEARCH.HTML
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1822f4ef29e76bd1b122/netzip/RdxIE601.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.134.70:2000/activex/AxisCamControl.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/039848.exe
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE13} (TIBSLoader Class) - http://www.go-in-now.com/tl3000.dll
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_GB.cab
O18 - Filter: text/html - {C5C07E0F-2186-4E24-BC24-1BFB42CFD6F5} - C:\Documents and Settings\Frank Kinghorn\Application Data\microsoft\internet explorer\V0.15.dat

 

I suggest you do this:

Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [MHQPOHRU] c:\windows\system32\mhqpohru.exe /install
O16 - DPF: Win32 Classes -
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1822f4e...ip/RdxIE601.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.134.70:2000/activex/AxisCamControl.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.sexyplugin.com/diallerfiles/039848.exe
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE13} (TIBSLoader Class) - http://www.go-in-now.com/tl3000.dll
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_GB.cab

Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.


Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Open c:\windows\system32\mhqpohru.exe <---Delete File

If these exist in with your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After cleanup". Click Create and you're done.

Post a new HijackThis Log

 

Many thanks. These actions all seemed to go OK.
New log is below.
Logfile of HijackThis v1.98.2
Scan saved at 22:44:26, on 15/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search with The Coolbar - res://C:\WINDOWS\Downloaded Program Files\toolbar2.dll/SEARCH.HTML
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {C5C07E0F-2186-4E24-BC24-1BFB42CFD6F5} - C:\Documents and Settings\Frank Kinghorn\Application Data\microsoft\internet explorer\V0.15.dat

 

Log looks pretty good to me. How's running?

Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane. Now click Tools, then hosts file the Add Spybot -S&D Hosts List. Click the link below for SpywareBlaster, download, install and update. Check for updates weekly. Still in Spybot, click tools in the left pane, HOSTS File and Add Spybot S&D Hosts List.

That will give you an added layer of protection against unwanted parasites.

 

My pc seems to be fine now - I've clicked on some of the links from which I was previously redirected and have deliberately mistyped some web addresses, in every case I got the correct link or was correctly directed to the "This web site does not exist" message. Thank you very much for your help - and for such prompt responses.

You suggest downloading SypBot and SpywareBlaster but do I need to do this if I continue to use Ad-Aware? Are these better than Ad-Aware, do they complement it, or are they just an extra level of security (two or three heads being better than one!).

Thanks again.

 

They all perform many of the same things but also protect against different. So I'd say extra level. Myself, I run a registery protect program and a firewall along with the above. Can't have enough protection

Glad we were able to help

 

CookieGal:

Good catch Cookie. Bad miss by me. Looks like CWShredder removed it in this thread.

http://forums.techguy.org/showthread.php?t=266662

Thanks

 

Thanks to both of you. Apologies for the delay in responding but I have been overseas for 2 weeks.
I've done as CookieGal suggested and run the 2 anti-virus programs and the subsequent HijackThis log is pasted below.
Logfile of HijackThis v1.98.2
Scan saved at 13:42:24, on 02/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

Everything seems OK with regard to security now, thanks. I do have a problem with my IDE-CD R/RW not functioning. Although this occured around the time I first contacted the TSG it was also the first time I had tried to use it after installing SP2 so I suspect it is something to do with that or it is a coincidental physical fault in the hardware. However I'll post a query on that in the Hardware section of Techguy as I presume I should not confuse this thread - but after I've sent off my donation in thanks for all your help so far!

 

Sorry to bother you again, but I've run Spybot several times and it keeps coming up with DSO Exploit and DyFuCA items. It "fixes" the former but not the latter but, on rebooting, both reappear. I've disabled System Restore after running Spybot and before rebooting but this makes no difference. I've attached the Spybot log. What have I done wrong?!

--- Search result list ---
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-583907252-507921405-1202660629-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DyFuCA: RAS profile (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\FCI

DyFuCA: RAS profile (Registry key, fixing failed)
HKEY_USERS\S-1-5-20\Software\FCI

DyFuCA: RAS profile (Registry key, fixing failed)
HKEY_USERS\S-1-5-19\Software\FCI

DyFuCA: RAS profile (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\FCI


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\LSP.sbi
2004-08-11 Includes\Cookies.sbi
2004-09-16 Includes\Dialer.sbi
2004-09-16 Includes\Hijackers.sbi
2004-09-16 Includes\Keyloggers.sbi
2004-09-16 Includes\Malware.sbi
2004-08-12 Includes\Revision.sbi
2004-09-16 Includes\Security.sbi
2004-09-16 Includes\Spybots.sbi
2004-09-16 Includes\Trojans.sbi
2004-08-30 Includes\Tracks.uti


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player / SP0: Windows Media Player Hotfix [See Q828026 for more information]
/ Windows Media Player: Windows Media Update Q308567
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2


--- Startup entries list ---
Located: HK_LM:Run, AVG_CC
command: C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
file: C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
size: 345661
MD5: a21829ad1ff2db8b77f3d6e42d76b9e1

Located: HK_LM:Run, EM_EXEC
command: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
file: C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
size: 28672
MD5: bcdbcd110dae1abca8f3787c8fcd3166

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\system32\SysTray.Exe
size: 3072
MD5: 46e07fd3a40760fda18cf6b4fc691742

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 7237366a57a26b7ed71c9b081fbdd6eb

Located: HK_LM:Run, Adaptec DirectCD (DISABLED)
command: C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

Located: HK_LM:Run, CreateCD (DISABLED)
command: C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r

Located: HK_LM:Run, InstantAccess (DISABLED)
command: C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
file: C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE
size: 37376
MD5: ef5fe31ef2a0c741de3c5650de0f5e91

Located: HK_LM:Run, LexmarkPrinTray (DISABLED)
command: PrinTray.exe
file: C:\WINDOWS\system32\PrinTray.exe
size: 36864
MD5: f6fbdf4b44ee9e5c58ac8d0508ae373a

Located: HK_LM:Run, LexStart (DISABLED)
command: Lexstart.exe

Located: HK_LM:Run, LoadQM (DISABLED)
command: loadqm.exe
file: C:\WINDOWS\loadqm.exe
size: 7536
MD5: 69d7217f9d7f49d6706baf90f52b472b

Located: HK_LM:Run, PCHealth (DISABLED)
command: C:\Windows\PCHealth\Support\PCHSchd.exe -s

Located: HK_LM:Run, RegisterDropHandler (DISABLED)
command: C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
file: C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
size: 23040
MD5: ebea065b4a6932c83059c190d1516e4c

Located: HK_LM:RunServices, Avgserv9.exe (DISABLED)
command: C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

Located: HK_LM:RunServices, LoadPowerProfile (DISABLED)
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\system32\Rundll32.exe
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:RunServices, SchedulingAgent (DISABLED)
command: mstask.exe

Located: HK_LM:RunServices, StillImageMonitor (DISABLED)
command: C:\WINDOWS\SYSTEM32\STIMON.EXE
file: C:\WINDOWS\SYSTEM32\STIMON.EXE
size: 14848
MD5: 8b9a897ba5db04aa59dc32bd2a112563

Located: HK_CU:Run, H/PC Connection Agent
command: "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
file: C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
size: 413775
MD5: e729abbad56fe6a7142abbe1743c80bb

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1667584
MD5: b53343fe60a33ee765c2476d50d27b26

Located: HK_CU:Run, MoneyAgent (DISABLED)
command: "C:\Program Files\Microsoft Money\System\Money Express.exe"
file: C:\Program Files\Microsoft Money\System\Money Express.exe
size: 127040
MD5: 0fb524b7b50e5913b2b52315cf1613f0

Located: HK_CU:Run, PopUpStopperFreeEdition (DISABLED)
command: "C:\Documents and Settings\Frank Kinghorn\My Documents\Internet\Pop-Up Stopper Free Edition\PSFree.exe"
file: C:\Documents and Settings\Frank Kinghorn\My Documents\Internet\Pop-Up Stopper Free Edition\PSFree.exe
size: 524288
MD5: e436db5d972bdbb83aed402f9024602e

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 2ff8eebba2c04e619038d65dba422d15

Located: Startup (disabled), Logitech Desktop Messenger (DISABLED)
command: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe /start
file: C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe
size: 169472
MD5: 91291ca1490f952d977618544d540b87



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 15/05/2003 00:47:54
Date (last access): 04/10/2004
Date (last write): 15/05/2003 00:47:54
Filesize: 50376
Attributes: archive
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
CRC32: 1D771322
Version: 0.6.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name: SDHELPER.DLL
Date (created): 12/05/2004 01:03:00
Date (last access): 04/10/2004
Date (last write): 12/05/2004 01:03:00
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control)
DPF name:
CLSID name: Microsoft Office Template and Media Control
Path: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\
Long name: IEAWSDC.DLL
Short name:
Date (created): 14/05/2004 18:01:46
Date (last access): 04/10/2004
Date (last write): 14/05/2004 18:01:46
Filesize: 87240
Attributes: archive
MD5: DCDD3DC308DAE40F09C9135FB8C2D7BF
CRC32: B9855495
Version: 0.11.0.0

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 27/08/2003 04:10:30
Date (last access): 04/10/2004
Date (last write): 27/08/2003 04:10:30
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0

{74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
DPF name:
CLSID name: HouseCall Control
description: Trend Micro Antivirus online scanner
classification: Legitimate
known filename: XSCAN53.OCX
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\DOWNLO~1\
Long name: xscan53.ocx
Short name:
Date (created): 24/03/2004 18:22:12
Date (last access): 04/10/2004
Date (last write): 24/03/2004 18:22:12
Filesize: 435712
Attributes: archive
MD5: 99A67AEE9A6E3EFD2126AFA0840ECBED
CRC32: 9198FA39
Version: 0.5.0.70

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 07/08/2003 09:02:50
Date (last access): 04/10/2004
Date (last write): 07/08/2003 09:02:50
Filesize: 110592
Attributes: archive
MD5: BF100C75EBD536E45B2BE67A685DD39C
CRC32: 99F54DBA
Version: 0.55.0.2

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CEBC955E-58AF-11D2-A30A-00A0C903492B} ()
DPF name:
CLSID name:
description: Windows Update
classification: Legitimate
known filename: WUV3IS.DLL
info link:
info source: Patrick M. Kolla

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name: FLASH.OCX
Date (created): 08/04/2004 17:51:02
Date (last access): 04/10/2004
Date (last write): 08/04/2004 17:51:02
Filesize: 939368
Attributes: archive
MD5: 2FB1D6FAB135CEE391AB3D70E1C26347
CRC32: 488FA4EC
Version: 0.7.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 04/10/2004 17:29:22

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 324 ( 4) \SystemRoot\System32\smss.exe
PID: 372 ( 324) CSRSS.EXE
PID: 396 ( 324) \??\C:\WINDOWS\system32\winlogon.exe
PID: 440 ( 396) C:\WINDOWS\system32\services.exe
PID: 452 ( 396) C:\WINDOWS\system32\lsass.exe
PID: 596 ( 440) C:\WINDOWS\system32\svchost.exe
PID: 644 ( 440) SVCHOST.EXE
PID: 708 ( 440) C:\WINDOWS\System32\svchost.exe
PID: 776 ( 440) SVCHOST.EXE
PID: 860 ( 440) SVCHOST.EXE
PID: 984 ( 440) C:\WINDOWS\system32\spoolsv.exe
PID: 1164 ( 440) C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
PID: 1200 ( 440) C:\WINDOWS\System32\nvsvc32.exe
PID: 1324 ( 440) C:\WINDOWS\System32\svchost.exe
PID: 1624 (1552) C:\WINDOWS\Explorer.EXE
PID: 1660 (1624) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 1860 ( 440) alg.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 04/10/2004 17:29:22

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.ntlworld.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{264A6673-8B13-474E-B2E3-D4F4C592EC35}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{264A6673-8B13-474E-B2E3-D4F4C592EC35}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8791D923-0A16-4A4E-A6D5-88DC415008C3}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8791D923-0A16-4A4E-A6D5-88DC415008C3}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3FE1CC7-3B00-4E10-9F4A-324AA5333A9F}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E3FE1CC7-3B00-4E10-9F4A-324AA5333A9F}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

 

Here is Hijack This log

Logfile of HijackThis v1.98.2
Scan saved at 09:37:02, on 05/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab