Removing one of the latest variants of lop.com

This post is by no means made because I want to avoid helping any of you to remove lop.com infections. Neither is it ment to promote or disqualify any anti-spywaresoftware.

Actually it is only a warning to steer away from lop.com and to give you an idea of what it changes on your computer.

First I disabled all resident spywareprotection and my firewall so I would not "cripple" the installation.

In the installer it makes very little difference whether you click Accept, Decline or the red cross in the upper right corner, so no escape there.

These are the items changed after the installation in my Hijackthis log:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=thko.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://thko.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://thko.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://thko.com/searchbar.html
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - C:\WINDOWS\System32\bleetrfrzdf.dll
O2 - BHO: (no name) - {652d61d4-65df-4c4d-8cdf-bdbe9b9342ff} - C:\DOCUME~1\Pieter\APPLIC~1\gllnprgrtrf.dll
O4 - HKLM\..\Run: [zgrtrl] C:\DOCUME~1\Pieter\APPLIC~1\dhfrstee.exe -QuieT
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thko.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{575C73D2-1A72-4A39-B8F3-1B8B44829DA9}: Domain = thko.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{73C972C2-467E-4772-8FB2-D4D283F6F173}: Domain = thko.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B52223B-7618-4D0D-9866-5D64F0715A42}: Domain = thko.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = thko.com
O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}

Explanation:
R0 and R1 entries are changes made in the registry to change your IE searchbar, searchpages, startpage, search bar page and search assistant.
A list of lop.com domains can be found in this thread:
http://www.wilderssecurity.com/showthread.php?t=7367
O2 entries are Browser Helper Objects, dll´s that are called upon once you open an IE Window.
A list of known BHO´s can be found on this site:
http://www.spywareinfoforum.com/bhos/
Sometimes toolbars are added as well, listed in HijackThis under O3. A list of known Toolbars can be found here:
http://www.spywareinfoforum.com/toolbars/.
Don´t be surprised if you can´t find them there. Lop.com creates random CSLID´s as well as random names for the dll´s and it´s main executable, which can be found under O4. That is the Startup entry. There you will find the only give-away that has been consistently present: the funny looking -QuieT (always capital Q and T)
The O17 entries are changes to the LSP (winsock2). The wrong way of removing these will cost you your connection to the www.
The O18 entry is a change in your protocol.

A short explanation and downloadlinks for HijackThis can be found here: http://www.tomcoyote.org/hjt/#quick

So far the best way to prevent getting infected by lop.com is by using SpywareBlaster, SpywareGuard and Adwatch (part of AdAware Plus + Pro) or Spybot S&D Resident.

To get rid of lop.com search the entries listed above (taking into account all possible variations) and have HijackThis fix them.
Then scan your computer for remnants with your favorite spywarecleaner.

I hope this helps someone.

Regards,

Pieter

Adapted links
Once more adapted links and added info on toolbars

 

Pieter - Thank you. That's a great 'roadmap' of what to look for if lop were to somehow get past your defenses. Pete

 

Hi Pieter,

I have a question about the O18 change on the protocol: ayb, do you know what this does? And if Lop is starting to make changes to the protocol things are going to get worse fast. Or maybe I'm wrong.

Loki

 

Thnx Pete,

Getting it seems to be fairly easy, since they release new versions quite frequently.
Getting rid of it completely (without using Total Uninstall or System Restore) takes me over an hour, and I practice.

Regards,

Pieter

 

Hi Loki,

I don´t know why they chose to make that change or what is does, but I agree it´s very invasive. Maybe one of the real experts knows more about that.
That is not new to this variant however, they´ve been doing that before.

Regards,

Pieter

 

Thanks Pieter,

I hope someone knows what that change is doing and why. The protocol is how are computers talk to each other and to change something there seems Lop might what more then just to make spyware.

Loki

 

Back up your registry, before installing anything, then if something like Spyware is installed restore your registry using the back up.

 

Thanks for the work and info Pieter..they sure keep it a moving target and that was a good write up.l

 

That creates a new protocol that Internet Explorer can interpret it as the beginning of an address. Lop's software uses it make IE load content using an ayb://whatever address. CommonName does this, Google does it, mIRC does it, and several other programs do this.

http://
https://
ftp://
gopher://
irc://
file:///
ayb://
etc

 

Hi Mike,

Thanks

Loki

 

As comparison to the first log in this thread, a log made after installing the new version of Messenger Plus (which comes with lop bundled).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://Q29548.find-quick.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://Q29548.find-quick.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://Q29548.find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://Q29548.find-quick.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://Q29548.find-quick.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://Q29548.find-quick.com/searchbar.html
O2 - BHO: (no name) - {7684d979-132a-49cf-a60e-f28e3153c2fd} - C:\DOCUME~1\ADMINI~1\APPLIC~1\mpreegrylydr.dll
O3 - Toolbar: dsbrgrifrof - {be43feb6-3d63-476e-ab6c-90d81c1b8691} - C:\DOCUME~1\ADMINI~1\APPLIC~1\mpreegrylydr.dll
O4 - HKLM\..\Run: [kylypr] C:\DOCUME~1\ADMINI~1\APPLIC~1\idjhfrke.exe -QuieT
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = S16009.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CD43687-9479-47D7-A0D8-EDCBB46FDDF9}: Domain = S16009.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = S16009.find-quick.com

I din´t install this one myself, but found it on a reasonably well protected system, that had no other spyware on it.
So this may not be everything lop.com tries to change, but it gives you a good idea of how it has evolved over the last 3,5 months.

To our dismay other spywarecreators have followed their example, in randomizing elements, thus complicating the lives of the "good guys" that are trying to keep their prevention and removal software up-to-date.

This one has also been using:
O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
to start up the main executable.

In all known variants the dll's can be found in the Application Data folder. For the older variants the .exe can be found in that folder as well.

Hope this helps someone,

Pieter

Added the winactive startup

 

A new version is being bundled with MessengerPlus.
These are the changes visible in my HijackThis log.
NOTE. I'm only posting the lop aka C2Media related entries. I also got Apropos and Autoupdater (PeopleOnPage) entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mysearchnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

O2 - BHO: (no name) - {824F8823-2A01-47F2-EFEF-340566BB814C} - H:\PROGRA~1\HtmGrim\PHONE WIPE.dll

O3 - Toolbar: Draw audio plus - {E3DC3C46-12C9-0D73-BA34-770CE28F2AE4} - H:\PROGRA~1\HtmGrim\PHONE WIPE.dll

O4 - HKLM\..\Run: [biasrule] H:\PROGRA~1\abouthide\Platform Bait.exe

The folder- and filenames appear to come from a big but limited collection. The CLSID´s are random.

In the Program Files folder, three folders were added:
H:\Program Files\abouthide
Files: AMOK.exe = 32146 bytes
body grey.exe = 22528 bytes
For.exe = 135680 bytes
Platform Bait.exe = 214356 bytes
H:\Program Files\C2Media
File: Setup.exe = 7574 bytes
H:\Program Files\HtmGrim
Files: PHONE WIPE.dll = 196934 bytes
antepeak.dat = 6 kb

Recognition: in the folder where the executable is (listed under O4 in the HijackThis log), you will find one other executable represented by this icon:
(in my example the body grey.exe)

HTH,

Pieter

 

Hi Im having troble with the http :// mysearchnow . xxx/ tooolbar as well. I think it infected my pc after installing mnplus3. hears my log of hijackthis:
can you please telll me what files i should remover and if i should remove and other files shuche as program files. thanx a lot

Wilders no longer do HiJackThis logs, edited clickable link.
Please read Post below ~ TAS

 

Hi GotXA.

Wilders no longer does HJT logs.


PLEASE READ HERE

Please follow the advice given in there, go to the link and pick a forum which handles hijack logs.

Also, read carefully any instructions on the site you choose to follow their HJT guidelines.

TAS

 

aNYON CAN HELP:

I'VE GOT THE PEST SEARCH.COM IN MY SYTEM. WHAT DO I NEED TO CHANGE WITH BELOW LOG?

Logfile of HijackThis v1.98.2
Scan saved at 11:09:48, on 10.10.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Programme\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Programme\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Programme\Messenger Plus! 3\MsgPlus.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Microsoft Money\System\mnyexpr.exe
C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programme\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Programme\ArcorDSL\ArcorDSL.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOKUME~1\TE\LOKALE~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bieyzkmovmciiphd.biz/FR9ZWejoKDMZYRYQM0s/S4IbMPZ51spuzRD0RmofFiU.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.arcor.de
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.cmhflmtrulvvxqiaacnznky....iPDTtuiDx_t3faHNrN1INs5Vt2AYJJkBMJG4LEoz.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von Arcor
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Programme\Microsoft Money\System\mnyside.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.02.0002.1001\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.2001.0001\en-gb\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E57021D4-11DA-84BF-A794-7BF003484AE0} - C:\PROGRA~1\SAVEST~1\tons shim.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programme\Gemeinsame Dateien\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.2001.0001\en-gb\msntb.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~4\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Programme\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Programme\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programme\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programme\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Programme\MSN Apps\Updater\01.02.0002.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Morecurb] C:\PROGRA~1\1rdrdoes\DEFY ROAD.exe
O4 - HKLM\..\Run: [new body cash window] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ballarmynewbody\OBJFILM.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Programme\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet 5100 series\Bin\hpoant07.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader resident.lnk = C:\Programme\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programme\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Programme\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra button: Hot Video - {FFB51760-344E-4FFB-BFFF-4B18C7AC1D63} - C:\WINDOWS\System32\ShellExt\SYSCNTR.EXE (file missing)
O12 - Plugin for .tif: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.arcor.de
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://dl.dialerssolution.com/cax.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F1821FB-6E81-45E5-B442-A4179A7E67E4}: NameServer = 145.253.2.203 145.253.2.81