Registry Value Infected

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Registry Value Infected, Dont know how to remove it

Options

shulamit74 View Member Profile	Aug 19 2008, 08:25 AM Post #1
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Hello, I scanned my computer with Malwarebytes' Anti-Malware and it found a Trojan here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tfnslopk, but could not remove it. Can you help me delete it? I am using XP pro sp2. Heres the HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:00:25, on 18/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe C:\Program Files\Webshots\webshots.scr C:\Program Files\ICQ6\ICQ.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Microsoft Windows DLL Loader] C:\DOCUME~1\user\LOCALS~1\Temp\svc32_4.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe" O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe O4 - HKCU\..\Run: [SpyShredder] C:\Program Files\SpyShredder\SpyShredder.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: AutorunsDisabled O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\user\Local Settings\Temp\{42D3A29C-723E-4C51-93A5-345343026E87}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.18\AMVConverter\grab.html O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: tfnslopk - {1EC7B31A-615C-43D8-B1CA-412DAE1E84D5} - (no file) O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing) O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing) O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing) O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Nla - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\svc32_1.exe (file missing) O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\svc32_1.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 4902 bytes Thanks, Anne

Billy O'Neal View Member Profile	Aug 28 2008, 08:30 PM Post #2
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	to BleepingComputer.com My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.) I want to apologise that it has taken so long to get back to you. We on the HJT Team are working as fast as possible to get your log answered. If you would still like help, please post a new HiJack This log below, as things may have changed on your system. If you do not still need help, please let me know, so that I can move on to other users who still need help. Please take note of the following: While a HJT Team member is working with you, please refrain from making any changes to your computer. Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Please reply using the button in the lower left hand corner of your screen. Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" . -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Aug 29 2008, 08:17 PM Post #3
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Hey, thanks for answering dude. Somehow I actually managed to get rid of the last Trojan. But I suspect there are other infections in my computer. Heres the new log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:15:31, on 30/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINDOWS\system32\msiexec.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O4 - HKCU\..\Run: [AWMON] "C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing) O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 3147 bytes

Billy O'Neal View Member Profile	Aug 29 2008, 09:47 PM Post #4
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, shulamit74. That looks clean to me. Do want to do a final check though. I would like us to use ESET (NOD32)'s Online Scanner Please go to ESET OnlineScan (NOD32) You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use Now click Start Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes Click Start Note: (the Onlinescanner will now prepare itself for running on your pc) To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications" Press Scan The Onlinescan will now start and scan your pc (this could take a while) When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt The Scanresults will now open in Notepad Click into the text area, right-click and chose "select all" (or use <Control>+A) Right-click again and chose "Copy" (or <Control>+C) Close/Exit Notepad Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created. Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.) Your Microsoft Windows installation is out of date. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC Go here to check for & install updates to Microsoft applications. Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install. Please reboot and repeat the update process until there are no more updates to install. Please let me know of any problems you may have encountered. In your next reply, please include the following: ESET OnlineScan's Log Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Aug 30 2008, 08:23 AM Post #5
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Ok heres the ESET OnlineScan's Log: # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3401 (20080829) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=5e635f9301be804ea644a31ec57fd059 # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-08-30 12:47:17 # local_time=2008-08-30 02:47:17 (+0200, Jerusalem Standard Time) # country="Israel" # osver=5.1.2600 NT Service Pack 2 # scanned=145273 # found=3 # scan_time=3473 C:\Documents and Settings\user\Desktop\Tom_and_Jerry__Fists_Fury_By__Toxic.rar Win32/Keylogger.HotKeysHook.A trojan (deleted) 00000000000000000000000000000000 C:\Documents and Settings\user\Desktop\Tom_and_Jerry__Fists_Fury_By__Toxic.rar »RAR »Tom_and_Jerry_ Fists_Fury_By _Toxic\trainer.exe Win32/Keylogger.HotKeysHook.A trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Tom_and_Jerry__Fists_Fury_By__Toxic\Tom_and_Jerry_ Fists_Fury_By _Toxic\trainer.exe Win32/Keylogger.HotKeysHook.A trojan (unable to clean - deleted) 00000000000000000000000000000000 When I tried to install the updates, an error occurred: "The website has encountered a problem and cannot display the page you are trying to view. Take the following steps to try solving the problem: Refresh the page. In Internet Explorer, delete your Temporary Internet Files by going to the Tools menu and clicking Internet Options. Close and then re-open Internet Explorer. If these steps don’t work, try visiting the site later or using the resources provided below." And indeed the stepst did not work...what shuld I do?

Billy O'Neal View Member Profile	Aug 30 2008, 11:55 AM Post #6
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Did it list an error code? Should look like 0x00000EE2 Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Aug 31 2008, 05:56 AM Post #7
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Yeah Error number: 0x8DDD0004

Billy O'Neal View Member Profile	Aug 31 2008, 02:17 PM Post #8
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, shulamit74. Please follow these instructions and restart windows update. See if things work now: We need to repair some of windows' internal registration settings Please download Dial-A-Fix from one of the following mirrors: Primary Mirror Secondary Mirror Extract the zip file to your desktop. Double click Dial-a-Fix.exe to start the program. Press the green double checkmark box (Looks like this: ) UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this: When the window looks like this, press the GO button in the bottom of the window. Exit/Close Dial-A-Fix Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Sep 2 2008, 01:05 PM Post #9
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	It worked like magic and I managed to install the updates, sweet:D There were some problems though.. lots of errors kept appearing during the Dial-A-Fix run, does it matter somehow?

Billy O'Neal View Member Profile	Sep 2 2008, 07:51 PM Post #10
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	QUOTE(shulamit74 @ Sep 2 2008, 02:05 PM) It worked like magic and I managed to install the updates, sweet:D Glad to hear it *BillyONeal Dial@Fix QUOTE There were some problems though.. lots of errors kept appearing during the Dial-A-Fix run, does it matter somehow? It depends. What were the errors? Please post a fresh HJT Log Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

Billy O'Neal View Member Profile	Sep 6 2008, 10:26 PM Post #11
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	Hello, shulamit74. Are you still here? Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

Billy O'Neal View Member Profile	Sep 7 2008, 10:41 PM Post #12
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	EDIT: User returned, topic reopened. Billy3 This post has been edited by Billy O'Neal: Sep 9 2008, 11:17 PM -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Sep 12 2008, 06:04 AM Post #13
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Thanks for reopening the topic. I tried to run dial-a-fix again, and this error appered: Error 2147221165 was encountered while trying to unregister C:/WINDOWS/system32/wups2.dll.The error text is: invalid value for regisry..." Right afterwords as the program continued running, another error appeared: Error 0X80070005: 'Access denied'. It advised me to run "repair permissions" and so I did, but it did not help. Can you help me fix this?

Billy O'Neal View Member Profile	Sep 12 2008, 03:17 PM Post #14
Multi Megaton Malware Munition Group: HJT Team Posts: 4,868 Joined: 17-January 08 From: Northfield, Ohio Member No.: 184,215	You shouldn't need to run D@F again... Things should be okay now. If that's the error you got than it can safely be ignored. How are things running otherwise? Please post a fresh HJT log Billy3 -------------------- The forum is always a busy place. In the event I fail to reply within twenty-four hours, feel free to send me a PM.

shulamit74 View Member Profile	Sep 16 2008, 12:14 PM Post #15
Member Group: Members Posts: 21 Joined: 11-August 08 Member No.: 229,146	Everythings working great (I think)but one problem. Every time I press "9" My computer folder opens, and every time I press "L" the Outlook Express opens. Its so annoying, please help me stop it Heres the new log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:01:11, on 16/09/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\DrvMon.exe C:\Program Files\ICQ6\ICQ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll O4 - HKCU\..\Run: [AWMON] "C:\Program Files\NetVision\Ad-Aware\Ad-Watch.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1220102949609 O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing) O23 - Service: NetDDE - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing) O23 - Service: NetDDEdsdm - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe -- End of file - 3313 bytes

« Next Oldest · HijackThis Logs and Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: