Browser Hijacked...

Hi all,

I'm having a problem with something that, every ten minutes or so, takes over my browser (or starts it), and invites me to download and install some software from someone called MediaTickets, in order to view content on what looks like a porn site.

SpywareBlaster doesn't seem to see it, neither does Ad-Aware. Anybody have any idea what it is?

I have tried doing a system restore, deleted everything Ad-Aware found. Running out of ideas...

More information, the site it is trying to get me access is www.silvermagnet.com/babe . It attempts to get me to accept the software four times before it lets go. Maybe I should capitulate...

Here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:17:53 p.m., on 3/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\wuam.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\SIMON~1.SIM\LOCALS~1\Temp\Rar$EX00.797\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12

 

Howdy, and welcome to Wilders! I've moved you to what I think is the best forum section for solving your problem. I do believe that if you follow the directions given in the "posting your HijackThis log" thread in this section, on of our experts will get you sorted as fast as possible!

 

Thanks!

 

Hi kiwijetpilot,

Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
These easily get lost in a Temp folder.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe

Then reboot and let us know if that cures it.
Could you please mail me a (preferably zipped) copy of:
C:\WINDOWS\System32\wuam.exe
Use the address in my profile please.

Regards,

Pieter

 

Well, tried that and couldn't find wuam.exe or even wuam.* , using the standard XP Pro search, looking in hidden files and folders.

However, let HijackThis fix the entries, and so far the problem hasn't recurred.

Any idea how this got to my PC, and how to prevent it?

Cheers,

Simon

 

Hi Simon,

That's good news.

Since we don't know what it was exactly it is hard to tell how you got infected. For some general tips: Why did I get infected in the first place

Regards,

Pieter

 

Thanks for that. I got curious and did a search... I assume I had the W32/Rbot-M worm. At least that seems to be the case from information on the Sophos site.

Again, thanks for all the help!

Simon

 

Good find.

I'll post the link in case anyone ends up in here through the search:
http://www.sophos.com/virusinfo/analyses/w32rbotm.html

Regards,

Pieter

 

Further to this, I have discovered that although running HijackThis, and "fixing" the three files noted above, solves the problem, it only lasts until I reboot the PC, at which point we are back to the same problem.

Anybody know how to fix it so that it doesn't load at startup?

Only Sophos seems to know about this worm, I haven't found any other refererences to it on other virus sites.

Any ideas?

Thanks!

 

Can you post a new HijackThis log?
And let me know if there are any other actively used user accounts.

Regards,

Pieter

 

OK, here you go.

There are four user accounts in total, only three are likely to have accessed the internet.

A couple of other things.

The PC has been sitting idling for about six hours, with no new instances of the problem. However, I just had another example of its behaviour - a browser opening and inviting me to install some software from MediaTickets- roughly ten minutes or so since I first opened internet explorer (which is the usual frequency that the problem occurs at). My PC is connected to the internet via an "always on" cable connection. When I disable the connection, the problem seems to go away.

I complained to MediaTickets, the company whose software appears to want me to install it. They have a website (www.mediatickets.net) which gives some clue as to how their software works. This was the reply (from stan@mediatickets.net):

So I did that, but the problem persists - although after running the downloaded removal tool, it indicated the program had been removed.

The reason I mention this, is that it appears that the problem may not be a virus exactly.

I downloaded a trial version of Sophos, but it only found four examples of the sasser worm, in backup files I made before a recent re-installtion of XP. I have instructed Sophos to disinfect them.

Anyway, here is the log - made just before the last occurrence:

Logfile of HijackThis v1.97.7
Scan saved at 12:54:12 a.m., on 9/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuam.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Internet Explorer\iexplore.exe
F:\Zips and Exes\hijackthis1977\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12


Cheers,

Simon

 

Simon,

I would be very surprised if this is not something far more nasty, evil and viral then MediaTickets:
C:\WINDOWS\System32\wuam.exe

I want to get rid of that first. If it solves the MediaTickets Mysery as well, I'll jump for joy.

Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Copy and paste this in the dialog box: wuam.exe

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

Regards,

Pieter

 

Even more:

Although I still can't find wuam.exe, I did find a file called WUAM.EXE-09C950C6.pf . This lives in C:\windows\prefetch. Is that of interest to you? I can't email it to you as your email is disabled, and I don't think I can attach to a private message.

Cheers,

Simon

 

I can't get to the page you mention, to get RegSrch.vbs . I get the old "The page cannot be displayed" line. Anywhere else I can get it?

Cheers,

Simon

 

Here you go.

Regards,

Pieter

 

Thanks for that. Here you go:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "wuam.exe" 9/06/2004 1:48:16 a.m.

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update Time"="wuam.exe"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Google\NavClient\1.1\History]
"wuam.exe"=hex:1c,3c,bf,40

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="wuam.exe"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\pf]
"a"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"="wuam.exe"

 

Hi kiwijetpilot,

First "unhide" hidden files and folders like this:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

Then open op TaskManager and endtask wuam.exe

Then copy the part in bold below into notepad and save it as wuamrun.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Update Time"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Time"=-

Then doubleclick the file and confirm you want to merge it with the registry.
Then reboot and you should be able to find and delete:
C:\WINDOWS\System32\wuam.exe

If not, post back.

Regards,

Pieter

 

OK, did all that successfully, but still no wuam.exe . Is this file actually meant to be there... Only other difference is that wuam.exe is no longer running in Task Manager. Here is the latest regsrch output:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "wuam.exe" 9/06/2004 2:32:45 a.m.

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Google\NavClient\1.1\History]
"wuam.exe"=hex:1c,3c,bf,40

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="wuam.exe"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"f"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"

[HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\pf]
"a"="C:\\WINDOWS\\Prefetch\\WUAM.EXE-09C950C6.pf"


This is fun, in a peverse kind of way...!!!

Cheers,

Simon

 

We are making progress if it is no longer running and all the startups are gone.

If you look at the runing processes of your log from 12:54:12 a.m., on 9/06/2004
you will see that the file exists. It runs therefore it is, to twist Descartes arm.

Ok next stage, removing it.

Surf to http://download.broadbandmedic.com/
and download The Killbox.

Run the program and copy&paste the full path in the dialog box.
C:\WINDOWS\System32\wuam.exe

Then see to it that there is a checkmark in the backup box and use the Kill File button.

Regards,

Pieter

 

I'm sure Descartes won't mind!

OK did all that. Killbox found and deleted the file. I did ask for a backup (default position anyway), but I have no idea where killbox put it, or what it is now called! I tried searching for wuam.* but had no success. I really want to send you this file!

Cheers,

Simon

 

Look if C:\!Submit\[date] with the date of today exists.
If it does zip it up and mail it to me.

Regards,

Pieter

 

No, that doesn't exist... well I can't find it, anyway. Maybe it does exist and I am selectively refusing to see it. Maybe I have an anti-wuam.exe psychosis. Maybe the world is no longer turning...

 

At the risk of wasting our time, could you post one more HijackThis log?

Regards,

Pieter

 

Certainly!

I emailed the Killbox people to ask about where it stores its backup files, but haven't heard back yet.

Just wondering - the log below lists two system32 folders, one System32 (big S) one system32 (small s). Windows explorer only shows one folder (small s). There appear to be two iterations of some processes running. Should I be worried, or is that simply paranoia...

Enjoy...

Simon
----------------------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:05:06 p.m., on 9/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Paltalk\pnetaware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Zips and Exes\hijackthis1977\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/structure/my_bids_current.asp
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {CBA13183-40A1-45B9-B3E4-3C35A9F7E749} (DownloadManagerInstall Control) - http://byteswarm.com/agent/1.2.1/DMInstall.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41C9DCDB-73EF-46B7-B856-EE7F6C6955D7}: NameServer = 203.96.152.4,203.96.152.12

 

Hi kiwijetpilot,

No need for that. It makes a C:\!Submit\[date] folder to store the backups.

Paranoia. On both counts
Windows makes no difference between Capital and undercast.
Several processes (like svchost.exe) are supposed to be present several times.

Clean, I'm happy to say.

Regards,

Pieter