Please help me with log...

Discussion in 'adware, spyware & hijack cleaning' started by CarolynB, Jun 22, 2004.

Thread Status:
Not open for further replies.
  1. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    I ran Adawre, CWS, Spybot and Norton. Here is the log.
    I apprecdiate any assistance.
    Thank you.
    Carolyn
    Logfile of HijackThis v1.97.7
    Scan saved at 10:19:17 PM, on 06/22/04
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\wintime.exe
    C:\WINNT\mstasks2.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\WebSiteViewer\123796.dlr
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - HKLM\..\RunOnce: [Lusetup] C:\PROGRA~1\Symantec\LIVEUP~1\LUSetup.exe -a -q -log
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38100.7784375
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CarolynB,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot into safe mode and delete:
    C:\WINNT\system32\wintime.exe
    C:\WINNT\mstasks2.exe

    Regards,

    Pieter
     
  3. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter~
    I did as you said and when I ran CWS I got a window with this message : One or 2 policy restrictions were found that prevent current user from changing IE homepage or accessing the internet options dialog. If you used Spybot's "immunize" function, uncheck last 2 "lock" items.

    I also got a window that said : Spywareguard Browser protection Alert
    Warning: Your IE default page has been changed! Your internet explorer local machine default page has been changed from http://213.159.117.132/index.php to <none> What do you want to do? Restore old values
    Keep new value

    (Pieter, what do I do here?) I think I clicked on keep new value since HJT fixed the first one but when I ran shredder same message appeared and it said the homepage was switched to "about". (?)
    One more thing, when I tried to delete the 2 files will it say exe on the end of them because it didn't. It said wintime and another said mytask2 (singular though...not plural. Is this the one to delete?) Geesh, I feel so dumb. Thank you so much for helping me.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Yes those are probaly the ones.
    To make sure:

    In Windows Explorer click Tools > Folder Options.
    On the Folder Options window, click the View tab. In the Advanced Settings group uncheck:
    [ ] Hide extensions for known file types
    Click Apply > Like Current Folder (located near the top of the Folder Options box) > OK. Close Windows Explorer.

    When you open a new Explorer windows the files should show their extensions (.exe or something else)

    Allow the changes you are making yourself as not to frustrate our attempts.
    Just read carefully what the windows say and try to understand what we are trying to accomplish.

    Regards,

    Pieter
     
  5. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter~
    Here is my new log. How does it look?

    Thanks for the help.
    CarolynB

    Logfile of HijackThis v1.97.7
    Scan saved at 8:08:04 AM, on 06/24/04
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\mstasks2.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\rundll32.exe
    C:\unzipped\hijackthis\HijackThis.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38100.7784375
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9EAED6-275C-429A-898B-63A157047BDD}: NameServer = 205.188.146.146
     
  6. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hii Pieter~
    I have one more question regarding my screensaver/desktop screen on my pc. I used to have a photo on it but now it is a blank screen that is white but will sometimes change to gray. I tried to change it back and even tried to just use one of the screens that came with the computer but after I do this in control panel it does not work. I believe it may be related to the spyware problem I have but was wondering how to fix it now that the computer seems to be clean. What is your opinion? Again, thank you.
    Carolyn
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CarolynB,

    Bring up TaskManager (Ctrl-Alt-Del) and endtask:
    mstasks2.exe

    Immediately delete the file:
    C:\WINNT\mstasks2.exe

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [ist service uninstall] C:\WINNT\mstasks2.exe /u

    Then rightclick your desktop > Properties > Desktop
    > Background > Web tab (Active Desktop) > disable
    Appearance--Schemes--Item Desktop.

    Then reboot

    Regards,

    Pieter
     
  8. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter~

    The file (mstasks2.exe) was already deleted I guess because it did not show up on the log and was not in the folder.

    When I right click my desktop and go to properties I do not get any options (background, etc.) so I went to control panel>display>background>web >appearance BUT there are no options for me to disable anything. I wish I could explain it better. Is there somewhere else I should be attempting to do this? Thanks you.

    CarolynB
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CarolynB,

    Click Start > run > copy&paste

    regedit /e c:\dsktp.txt "HKEY_CURRENT_USER\Control Panel\Desktop"
    > OK

    Then find and post the content of: c:\dsktp.txt

    Regards,

    Pieter
     
  10. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter~

    here it is.....

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Control Panel\Desktop]
    "ActiveWndTrkTimeout"=dword:00000000
    "AutoEndTasks"="0"
    "CaretWidth"=dword:00000001
    "CoolSwitch"="1"
    "CoolSwitchColumns"="7"
    "CoolSwitchRows"="3"
    "CursorBlinkRate"="530"
    "DragFullWindows"="0"
    "DragHeight"="4"
    "DragWidth"="4"
    "FontSmoothing"="0"
    "ForegroundFlashCount"=dword:00000003
    "ForegroundLockTimeout"=dword:00030d40
    "GridGranularity"="0"
    "HungAppTimeout"="5000"
    "LowPowerActive"="0"
    "LowPowerTimeOut"="0"
    "MenuShowDelay"="400"
    "PaintDesktopVersion"=dword:00000000
    "Pattern"="(None)"
    "PowerOffActive"="0"
    "PowerOffTimeOut"="0"
    "ScreenSaveActive"="1"
    "ScreenSaverIsSecure"="0"
    "ScreenSaveTimeOut"="900"
    "TileWallpaper"="0"
    "UserPreferencesMask"=hex:9e,3e,00,80
    "WaitToKillAppTimeout"="20000"
    "Wallpaper"="C:\\WINNT\\River Sumida.bmp"
    "WheelScrollLines"="3"
    "WallpaperStyle"="2"
    "SCRNSAVE.EXE"="C:\\WINNT\\System32\\ssflwbox.scr"

    [HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
    "BorderWidth"="1"
    "CaptionFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,\
    00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "CaptionHeight"="-270"
    "CaptionWidth"="-270"
    "IconFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
    00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "IconSpacing"="75"
    "IconTitleWrap"="1"
    "IconVerticalspacing"="-1125"
    "MenuFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
    00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "MenuHeight"="-270"
    "MenuWidth"="-270"
    "MessageFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
    00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "ScrollHeight"="-240"
    "ScrollWidth"="-240"
    "Shell Icon BPP"="16"
    "SmCaptionFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,\
    00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
    "SmCaptionHeight"="-180"
    "SmCaptionWidth"="-180"
    "StatusFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
    00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
    00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CarolynB,

    Copy the part in bold below to notepad and save it as noactd.reg


    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoActiveDesktop"=dword:00000001


    Doubleclick the file and confirm you want to merge it with the registry.
    It may take a reboot for the changes to take effect.

    Regards,

    Pieter
     
  12. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter~

    This is the Registry Editor message I got when I tried to merge the file.

    Cannot import C:\DOCUME~1\CAROLY~1\MYDOCU~1\noactd.reg : The specified file is not a registry script. You can only import registry files.

    I saved it in My Documents folder. Should I have saved it somewhere else?

    Thanks again.

    Carolyn B
     
  13. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hello Pieter~
    I did something wrong. I went into the file and was trying to figure out how to make it work so I changed it to open with notepad and now when I double click on it, it opens and I don't get the option to merge it since it is not a registry file anymore. I can't change it back. What should i do? Sorry I messed with it.

    I also tried to "start over" by deleting the first file and copy and pasting it again. I opened a new text document and put it there (i though that is how I was able to do it the first time) and saved it as noactd.reg and it said something about changing file name extensions may not work.
    I cannot open notepad without opening text document but I am probably wrong. HELP!
    Carolyn B
     
    Last edited: Jun 27, 2004
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Rightclick any .reg file, choose open With and choose Registry-Editor.
    Put a checkmark in the "Always use this program to open..... " box.

    Did you copy everything? Including REGEDIT4 ?

    The file worked for me.

    Regards,

    Pieter
     
  15. CarolynB

    CarolynB Registered Member

    Joined:
    Apr 22, 2004
    Posts:
    19
    Hi Pieter!
    THANK YOU THANK YOU THANK YOU! It worked and my desktop screen is back! You are a genius!
    I ran Hijack This just to check and make sure it looked ok. Can you take one last look at it? There is a new listing (17) that wasn't there before.
    Again, thank you so much for helping me. I truly appreciate it.
    Carolyn B
    Logfile of HijackThis v1.97.7
    Scan saved at 5:05:04 PM, on 06/28/04
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\Program Files\America Online 9.0\aoltray.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\America Online 9.0\waol.exe
    C:\Program Files\America Online 9.0\shellmon.exe
    C:\Program Files\America Online 9.0\aolwbspd.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38100.7784375
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7F9EAED6-275C-429A-898B-63A157047BDD}: NameServer = 205.188.146.146
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
Thread Status:
Not open for further replies.